Am switching from a server based EMR to a cloud based EMR. Do those on the cloud have any special in-house security measures etc. An IT person is suggesting that a "windows domain" or "windows work group" is not HIPAA compliant. Do practices have a HIPAA security rules document in place? Does anyone know of a template? There is an article in the FPM Journal recently...looks fairly onerous....
Jim Bloomer, Exeter, NH.
"common problem areas with respect to Security Rule compliance:
Nonexistent or incomplete SRAs,
Lost or stolen media storage devices containing unencrypted ePHI – including laptops and thumb drives,
Improperly configured appointment calendars, which are publicly searchable online.
In many cases, the covered entities that have made these errors also fail to implement effective policies and procedures to detect, prevent, contain, and correct security violations."The only weird thing with the cloud is you need a specific BAA, not just the cloud's usual security measures which are usually far in excess of what you need. ONC has gotten weird on this, insists on a document labelled "BAA".
Should have posted this rather than reply on email...here it is. Thanks Peter.Hi Jim, If it's ok w you, we should put this on the public discussion board so others can benefit. Your connection with your cloud server will be "HTTPS," not "HTTP." HTTPS alone gives you credit-card level security in your connection. The folks that issue a security certificate confirm the identity of the site to a more than reasonable degree, and the 'handshaking" uses public key encryption to secure your connection. (Google ' public key encryption'.) Ask your IT guy about how much security you get with HTTPS. It's a reasonable way of gauging how expert he is. If he doesn't understand HTTPS gives you
then you absolutely need another IT person. Seriously. What would you think about a doctor who told you to get your appendix taken out, 'just in case'? The risk in an HTTPS connection is orders of magnitude less. https://www.healthit.gov/providers-professionals/faqs/what-does-https-web-address-mean How much security do you need? https://www.youtube.com/watch?v=Oo9k83jhFf4 (Click the link.)
"There are various reasons for wanting to use free VPN (virtual private network) software, but the two main ones are to hide who you are, or to hide where you are. Why might you want to do either of these things? "