Case Study: Security Advice for PhysiciansPractical Insights for Small Group Practices
When it comes to information technology, Stasia Sands-Kahn, M.D., co-founder of the three-physician Fox Prairie Medical Group in St. Charles, Ill., is a self-taught expert. She learned about IT on the job when implementing an EHR from Nextgen Healthcare Information Systems Inc. seven years ago.
Based on her experience, she advises small practices to ask EHR vendors key questions before they buy a system, including:
- If the practice hosts the system on its own server, how does the application accommodate encryption to keep sensitive patient information secure?
- If the practice uses a remotely-hosted system, how does the vendor secure the patient information in its data center?
- What options does the software vendor offer to enable the practice to communicate with patients securely? For example, does it offer a patient portal, or does it require the practice to implement its own secure e-mail program?
Kahn is so motivated to share the lessons she's learned that this week she launched a new Web site offering advice for EHR novices.
Doing Your HomeworkPractices implementing EHRs need to have a physician champion who stays up to date on the regulations for the Medicare and Medicaid financial incentive program under the HITECH Act, Sands-Kahn says. Her practice plans to apply for incentive payments when the program kicks in next year.
The physician champion also needs to keep up with the various security and privacy requirements under HITECH, she adds.
Fox Prairie Medical Group updates its risk assessment annually, shutting down the practice for a half-day "compliance meeting" so everyone can get involved, the physician says.
While documents from the American Medical Association and other sources can help with risk assessments and security policies, every practice needs to create its own customized manuals, she stresses. "I recognized early on that you can't just take someone else's privacy and security manual because it doesn't apply to your practice and its needs," she says.
The practice's security policies include:
- Clinical data is not stored on laptops that physicians take home, nor on the tablets or PCs that staff uses in the office. Instead, it resides on a server accessed using virtualization technology from Citrix Systems.
- Remote access to the EHRs via Citrix is offered only to the physicians.
- The server is kept in a locked room and protected by a firewall.
- Backup tapes are stored offsite.
- Faxes are exchanged only with organizations that sign a form confirming they have a secure fax location, as required under HITECH.
Role of EncryptionThe practice has not applied encryption for end-users' computers because clinical data does not reside on them, Sands-Kahn says, However, it plans to begin encrypting its backup tapes, which it stores offsite, after it replaces its server, she adds.
Encryption likely will slow the nightly backup process, which could make it more difficult for physicians to access information in an overnight emergency, she acknowledges. So she's pondering whether to apply encryption nightly or weekly.
The practice also is contemplating whether to offer patients a portal where they can communicate with doctors and retrieve records or use some sort of secure e-mail system instead. It already uses a secure portal, developed by e-Medapps, to share records with specialists to whom it refers patients. The suburban Chicago consulting firm, which helped the practice select its EHR software, also lends a hand with computer maintenance issues.
Sands-Kahn helped form Northern Illinois Physicians for Connectivity in hopes of creating a suburban health information exchange involving local physicians and hospitals.
The mission of the group, however, recently changed to focus on helping physicians make the move to EHRs. For example, it has formed a hardware purchasing consortium and will negotiate discounts with preferred EHR vendors and consultants.