Foundations: Security and Privacy

From OpenEMR Project Wiki

Owner of this Enhancement

OpenEMR and EHR Support

ViCarePlus HealthCare IT Services & Support

6559, SpringPath Lane, San Jose, CA, USA

Website: http://www.vicareplus.com

Email: services@vicareplus.com

MU Requirements

Meaningful Use Measures:

Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary.


Certification Criteria for EHR:

1. Assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.

2. Permit authorized users (who are authorized for emergency situations) to access electronic health information during an emergency.

3. Terminate an electronic session after a predetermined time of inactivity.

4. Encrypt and decrypt electronic health information according to user-defined preferences (e.g., backups, removable media, at log-on/off) in accordance with the standard specified in Table 2B row 1: A symmetric 128 bit fixed-block cipher algorithm capable of using a 128, 192, or 256 bit encryption key must be used (e.g., FIPS 197 Advanced Encryption Standard, (AES), Nov 2001).

5. Encrypt and decrypt electronic health information when exchanged in accordance with the standard specified in Table 2B row 2: An encrypted and integrity protected link must be implemented (e.g., TLS, IPv6, IPv4 with IPsec).

6. Record actions (e.g., deletion) related to electronic health information in accordance with the standard specified in Table 2B row 3 (i.e., audit log), provide alerts based on userdefined events, and electronically display and print all or a specified set of recorded information upon request or at a set period of time. Table 2B row 3: The date, time, patient identification (name or number), and user identification (name or number) must be recorded when electronic health information is created, modified, deleted, or printed. An indication of which action(s) occurred must also be recorded (e.g., modification).

7. Verify that electronic health information has not been altered in transit and detect the alteration and deletion of electronic health information and audit logs in accordance with the standard specified in Table 2B row 4: A secure hashing algorithm must be used to verify that electronic health information has not been altered in transit. The secure hash algorithm used must be SHA-1 or higher (e.g., Federal Information Processing Standards (FIPS) Publication (PUB) Secure Hash Standard (SHS) FIPS PUB 180-3).

8. Verify that a person or entity seeking access to electronic health information is the one claimed and is authorized to access such information.

9. Verify that a person or entity seeking access to electronic health information across a network is the one claimed and is authorized to access such information in accordance with the standard specified in Table 2B row 5: Use of a cross-enterprise secure transaction that contains sufficient identity information such that the receiver can make access control decisions and produce detailed and accurate security audit trails (e.g., IHE Cross Enterprise User Assertion (XUA) with SAML identity assertions) - Not required for certification

10. Record disclosures made for treatment, payment, and health care operations in accordance with the standard specified in Table 2B row 6: The date, time, patient identification (name or number), user identification (name or number), and a description of the disclosure must be recorded.


From Visolve:

Foundational Infrastructure: Security and Privacy

Links