14. Protect Electronic Health Information
This lesson will demonstrate the steps necessary to meet the Meaningful Use requirement for Data Protections.
SOAPware 2011 or later must be used.
Note: To determine the version of SOAPware being used, Click on Help > About SOAPware. This will open a window which will show the version and build of SOAPware currently in use.
Implement security systems to protect patient data. Each user must consistently sign in with their own unique ID in order to accomplish the access control. For emergency access, permit authorized users (those who are authorized for emergency situations) to access electronic health information during an emergency. For automatic log-off, use this feature in Security to set a predetermined time of inactivity which will terminate each session. It is also important to perform a risk analysis, update as necessary, and to correct deficiencies.
Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
For more detailed information on this measure, please Click on the "Reference" link below. This CMS documentation includes information on exclusions, attestation requirements, a definition of terms and important additional information.
CLICK TO VIEW THE CMS DOCUMENTATION ON THIS MEASURE:
Reference CMS: Protect Electronic Health Information
YES / NO ATTESTATION:
This measure is not tracked within the SOAPware Meaningful Use dashboards. This Meaningful Use measure requires that the eligible professional must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.
For more information on the attestation requirements for this measure, please see: CMS: Protect Electronic Health Information.
Protecting Your Electronic Health Information
As the user conducts or reviews the security risk analysis for this Meaningful Use requirement, the user should consider the items discussed below and should ensure compliance with the requirements under 45 CFR 164.308(a)(1).
- HealthIT.gov Security Risk Assessment Tool
- HealthIT.gov Core Measure 15: Protect Electronic Health Information Resources
- Guide to Privacy and Security of Health Information
- HHS.gov Guidance on Risk Analysis
- Health IT Privacy and Security Resources
- Security Standards: Implementation for the Small Provider
Each user will need their own ID and password to log into SOAPware; they must use only their personal ID and password to access SOAPware. To set up users, see: Users in Security.
Emergency Access will permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency. To learn how Security can be used to assign privileges to users who will be authorized to access information during emergency situations, see: Emergency Access Role.
This is accomplished with the settings in Security Manager. See Security Settings: "2. Logging On and Logging Off." The Idle Logout setting will accomplish this requirement. Check the box to activate this setting, and then choose the desired time frame.
Audit Log Report
Security Auditing in SOAPware allows for audit log reports to be generated. To learn how to create Audit Log reports, see: Security Auditing in SOAPware.
Accounting of Disclosures
To record disclosures made for treatment, payment, and health care operations, you will need to follow the workflow for: Record of Disclosures.
Keeping SOAPware updated is also recommended to ensure that the latest data protection available is in use. To update SOAPware, see: Intro to Updating.