The Institute of Medicine (IOM) 1999 report “To Err is Human: Building a Safer Health System” identified that the lives of about 98,000 people could be saved by alleviating preventable medical errors in the U.S. each year. This landmark report addresses many clinical shortfalls and asks the question whether these multi-billion dollar investments made a significant difference in improving patient’s safety over the years?

EMRFinder values its customers and here, we look at what security features an EHR Software should possess to successfully demonstrate Meaningful Use (MU) and to stay HIPAA-compliant protecting the confidentiality and availability of the health information you keep.

Top 7 Patient Safety Parameters by EMRFinder

Meet the federal security requirements

The providers should use the Certified Electronic Health Record Technology (CEHRT). In order to meet the federal MACRA security requirements for the privacy of the exchange of information. (Offered by AdvancedMD)

Encrypted database.

256-bit encryption reduces the probability that anyone (besides the actual receiving party) who has the accessor code could decrypt extract patient’s confidential data. Encryption for HIPAA may not be a compulsion but it is required, but it is strongly recommended. (Offered by Athenahealth)

Role-Based Access Control (RBAC).

One of the growing concern for practices is to have secured a patient portal that could manage dependent accounts (e.g. spouse) accounts. As the name suggests RBAC provides control to grant roles-based access to the specific information within the organization. For example, the information requirements of administrative staff would be a lot different than the nursing staff.

Password Protection

Robust validation such as a security question or two-factor authentication should be applied with e.g. SMS message including a security code to a mobile phone or email. Moreover, all employees/users should have complex passwords (alpha, numeric and special characters etc.), and are reset every 60 days. You can further validate users with additional security questions (such as place of birth). (Offered by NueMD, Kareo)

Activity Log

Recording key activities are important to conduct periodic reviews to reduce the risk of inappropriate access and violations by establishing accountability.

Consent Form

A complete and detailed consent or opt-in agreement (printable preferred) where a patient clearly understands, and willingly agree to the risks associated with the unavoidably of insecure patient-provider communication.

PCI Compliance.

Payment Card Industry Data Security Standard details a fundamental part of online patient bill pay systems which keeps customer’s payment card data secure. Ensuring that the transaction details are not stored by the portal or EHR unless your practice is PCI compliance.