November 7, 2019
As a medical practice, you know you are responsible for the security of your patients’ electronic medical information. What you may not realize is that changing practice management or EMR systems is a critical time to ensure data security. A security breach during a transition could mean fines, compromised patient data, and/or lost access to important medical information. Whether you are changing systems because your practice has been acquired or you are simply upgrading, you’ll want the peace of mind that comes with migrating and archiving your data in a way that meets your operational requirements along with HIPAA, Meaningful Use, and MIPS requirements.
If you are decommissioning an old EHR or PM system, ensure your historic patient data remains secure and compliant, by following these 5 best practices:
Seek Legal Guidance and Devise an Archive Strategy
In our experience, many attorneys suggest that medical practices keep all patient records indefinitely. Seek legal guidance to ensure you fully understand whatever legal obligations you are bound by with regards to both financial and clinical information. Separate from how long you need to maintain your records, you also need an archive strategy for your practice. Legacy applications and servers don’t necessarily need to be maintained for years in order to accomplish your archive policy. Simplified and lower cost options to extract and archive the data are available, whether the result is hosted in the cloud or on your local network.
Ensure Data is Hosted Securely
Cloud-based and local archive systems are both options to consider, depending on how many locations you have, how often you need to access the data, and whether outside entities such as attorneys or collections agencies also need access. Your archive vendor should be able to make a hosting recommendation based on your practice’s needs and put all necessary security safeguards in place.
Control Access to Patient Data
One of the best ways to ensure patient data security is to document a plan regarding how your data is governed and implement role-based access to records so that providers and other staff only have access to the data that is pertinent to their role. This limits any opportunity for individuals to access information beyond their particular use case.
Log Data Access by User and Document
Ensure your data archive solution maintains usage logs. This is critical both for internal review as well as external audits. User time/date stamp reports should be detailed, informative, and easily accessed.
Make System Security Part of your Ongoing Risk Assessment Process
As regulations change, it is important to re-evaluate and maintain policies within your current system as well as the archive of old data over time. Security is an ongoing effort, not a one-and-done project. We suggest following the recommendations outlined in the HIMSS Risk Assessment Toolkit and HealthIT.gov’s Security Risk Assessment Tool. Regularly review your systems and policies to assess any risk areas.
Adhering to these best practices when planning your archive policy will help your practice protect electronic health information, remain compliant with regulations, and ensure your data storage methods are cost-efficient and effective.