From a developers point of view, an I.T. system needs to provide sufficient tools to fine-tune security and system access, however, it remains the responsibility of those in charge of the health care environment to correctly implement these tools to protect PHI. This is our specialty at Citiscape IT.
We would suggest the following as the bare minimum requirements for any health care I.T. system:
The system should be configurable to allow or deny access to any part of the system that may contain patient info. This access can be fine tuned to allow read/update/insert and delete permissions to prevent unauthorized viewing/changing/creation or deletion of patient info.
Complete audit trail of: WHO changed, created or deleted WHAT.It must also limit access to reports containing patient info. If you cannot view certain data, you should also not be able to generate any reports that allow you to do so. This is a common mistake made by I.T. Systems.
The ability tot distinguish between routine patient info and confidential patient info. Some lab tests are "more" confidential than others and may only be viewed and updated by a select few. Point 3 above is a common problem for this level of confidentiality.
If you email confidential data, it should be encrypted and password protected.
A system capable of distinguishing between confidential and routine data should also then be able to limit where this data may be printed. Some systems, for instance, does not allow the printing of confidential results directly to ward printers, instead we define a single "Confidential Printer" per site as the only printer that will allow users to print confidential results. This printer may be in a locked cupboard or supervisor office, or it may be a printer that automatically places all reports in sealed envelopes.
We specialize in Houston-Healthcare IT Projects
Citiscape IT
281-733-2422
Call us for EMR Projects and Business Practice Needs
