Sharing More Data? Ask More Questions.
Posted On: July 9th, 2013
Former Vice President, Product Marketing and Strategy, McKesson (Retired)
Sharing data is becoming a common occurrence for home health and hospice agencies, whether you’re exchanging specific patient data with another provider or more general data on your patient population with a state, regional or private health information exchange (HIE).
As you share more data more often, security rises to the top of your list of concerns—as well as it should. Asking questions is the best way to familiarize yourself with security terminology and become comfortable with what constitutes a secure connection to an HIE.
At a minimum, HIEs must be fully compliant with HIPAA and the state-specific privacy regulations in their region. They should also have readily available, detailed information on their security policies.
For example, HIEs must consider the following:
- Access to the production facility
- Power quality and backup power
- Smoke detection and redundant HVAC (heating and air)
- Redundant firewalls
- Site autonomy
- Restricted electronic access to the data center
- Protection against electronic attacks
- Hardening and monitoring of web servers, integration servers and file transfer servers
- Controlled access requests
- Strict security account policies
- Encrypted remote access
- Input validation
- Strict authentication
- Credentials management
- Exception management
- Data separation (PHI never sent or received without being encrypted)
- Data auditing
- Data backup
- Data destruction
In a nutshell, any entity you exchange data with should be able to prove to you that it has well-tested physical/network security, that its facilities and processes are audited periodically, and that it has taken all potential patient privacy concerns into consideration.