Posted By Monique Dever On April 20, 2015

6 Things Your EHR Must Do to Secure Patient Information

In order to successfully attest to Meaningful Use (MU), public health eligible professionals (EPs) must comply with 15 core objectives established by the Centers for Medicare and Medicaid Services (CMS). A big part of this includes complying with HIPAA’s privacy and security rule through risk analysis requirements.


CMS’s Core Objective to “Protect Electronic Health Information” requires all EPs to “Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement updates as necessary and correct identified security deficiencies as part of the EP’s, eligible hospital’s or CAH’s risk management process.”


Here are 6 privacy and security features you should expect from your EHR:

  1. Meet stringent federal MU privacy and security requirements: This is best achieved if your EHR is federally certified as a “complete” not “modular” system. However, meeting federal mandate is just the start. A good EHR should also include the following 5 features. 
  2. Encryption: In this connected world, and with the federal mandate of exchanging patient data with other community providers, it is important to ensure adequate encryption of all personal health information that is being sent over the internet. Though one can manage with 128 bit encryption, it is best to have 256 bit encryption. 
  3. Provide Role-Based Access Control (RBAC): Each user in your practice does not need to see everything about a patient, therefore, only grant access to specific areas as needed. For example, registration staff won’t need access to clinical data. Similarly, not everyone needs access to billing and financial data. Ability to secure information needs to be very granular and you should be able to control the access. 
  4. Confidential Visits: This is particularly important if you are a local health department or providing family planning services. The EHR must have a mechanism to mark a patient or visit as “confidential”. The EHR must be smart enough, for example, not to print and mail patient visit information to the home of a teen family planning related visit. 
  5. Include extensive password protection: Robust password protection is an enhanced capability to provide additional security of digital information. Not all of these will be included and may be an optional extra, but make sure your EHR has these capabilities. To validate a user, the EHR should have capabilities such as:
    • Password reset requirements (e.g. after every 60 days) which can be controlled by each clinic.
    • Ensure that selected passwords are robust and include 8-digit minimums, requiring alpha, numeric and special characters.
    • Ensure additional questions to further validate the user (e.g. name of birth city).
    • Two-factor authentication, which is the holy grail in security. In this, the EHR can send a SMS message to (say) a cell phone with a security code needed to complete user set-up and access to the EHR. 
  6. Audit Trails: All clinics know that when the staff is involved, one needs to have robust policies, training and agreements in place to ensure staff does not violate HIPAA rules. To support any violations, the EHR should include robust audit trails to help identify any violations.

As you look at EHR features, do check out these 6 must haves for secure patient information.

About Monique Dever

Monique integrates research and networking with her passion for health and well-being to provide important, up-to-date news, resources and current events to the public health communities. She is the Marketing Executive for Patagonia Health, an Electronic Health Records (EHR) software company focused on the public health sector.