[ Friday, April 02, 2004 ]
Security Compliance: controlling access to all systems with ePHI:
You probably know that the Security Rule, which comes into force in about a year, requires that access to all systems with electronic PHI (ePHI) be controlled through technical means. This obviously means that you must restrict access to electronic medical record systems, and be able to track who is accessing what (if that's relevant to your systems, of course). But you must also restrict access to other systems that contain ePHI. These would include PACS systems, scheduling systems, and other non-IS systems. How should you go about doing this?
First, determine all the places where you have ePHI, keeping an eye on removable media (floppys and cds), hard drives, and network connections. Second, see what types of protections are on those sytems already, and make sure you know how to use them. Third, explicitly address these systems and devices in your policies, and make sure your policies include an exception for these systems if thery don't have the capacity for access controls (you need some non-technical protection then, like keeping the systems in locked rooms or keeping the info on disks in encrypted format). Finally, when you're acquiring new hardware or software for these systems, acquiring new systems, or entering into maintenance or management contracts relating to these systems, make sure you include you security requirements in the acquisition or maintenance contracts.
Hat tip to HIPAAlert and Clyde Hewitt of Phoenix Health Systems for the points.
Jeff [12:08 AM]
Blogger: HIPAA Blog - Edit your Template