Electronic health record (EHR) privacy and security apprehension among healthcare providers is a common hurdle when trying to get these organizations to participate in a health information exchange (HIE). The North Carolina HIE (NC HIE) looked into these concerns in a recent blog post on its website and outlined its own privacy efforts.
Back in January 2014, the NC HIE surveyed 435 North Carolina clinicians and practice managers to learn more about their EHR needs and meaningful use focuses. According to the NC HIE survey, 18 percent considered privacy and security significant roadblocks toward HIE implementation. The organization said that it was the most commonly cited reason for not wanting to participate in an HIE, but gave some insight into its internal statewide privacy, security and HIPAA compliance framework as well. The NC HIE framework was designed, and governed by North Carolina state laws, to encompass healthcare providers, government officials, large and small healthcare organizations, corporations and vendors.
The NC HIE Legal and Policy Workgroup’s Guiding Principles in forming the NC HIE Comprehensive Statewide Privacy and Security Framework included (1) Implement Core Privacy Principles; (2) Adopt Trusted Network Design Principles; (3) Establish Oversight and Accountability Principles. Users must sign NC HIE participation agreements and comply with state law by, for example, reporting material security incidents to the NC HIE. Note: North Carolina is an Opt Out HIE state and NC HIE’s patient consent model permits an individual or their personal representative to elect to disallow his or her patient information maintained by or on behalf of one or more specific Participants from being shared with others through the HIE Network at any time.
Here’s a look at some of the security language in the NC HIE privacy and security framework:
User Access and Authentication
NC HIE ensures user authentication by enforcing multiple parameters to generate unique usernames and strong, secure passwords. Complex usernames and strong, secure passwords verify that a person seeking access to patient information is who they claim to be.
Audit Logs
User access and all user activity is logged and audited throughout every touch point within NC HIE’s System in order to identify which data was accessed by a specific user. Because NC HIE employs secure audit logs, Participants’ Privacy and Security Officers are able to audit individual user activity within their organization.
Data Security
NC HIE’s System is protected by intrusion prevention devices. Participant’s access to data is protected by SSL or TLS Encryption utilizing X.509 digital certificates issued by a well-known public Certificate Authority (CA). All data contributed to, or sent from the HIE Network, is secured by site-to-site IPSEC VPN tunnels which are restricted to the destinations and ports necessary for operation. Server security is accomplished though the combination of both network security (ASA) and at the machine level, utilizing the software firewall built into the operating system. Internal Security is accomplished through network segmentation that is implemented to provide isolation of the core application from other internal services.
Reviewing an HIE’s privacy and security policies is always interesting because a provider would be able to see how exactly their protected health information (PHI) is secured and get an idea of what the HIE has promised contractually.