MEDITECH CUSTOMERS & THE OIG QUESTIONNAIRE



Similar documents
Hospital Certified Electronic Health Record (EHR) Technology Questionnaire

Your responses will be saved every time you click the NEXT button.

NOT ALL RECOMMENDED FRAUD SAFEGUARDS HAVE BEEN IMPLEMENTED IN HOSPITAL EHR TECHNOLOGY

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Full Compliance Contents

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

DeltaV Capabilities for Electronic Records Management

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Tools to Aid in 21 CFR Part 11 Compliance with EZChrom Elite Chromatography Data System. White Paper. By Frank Tontala

DeltaV Capabilities for Electronic Records Management

Introduction. Connection security

Navigating Compliance Landmines in Electronic Health Record (EHR) Documentation

itrust Medical Records System: Requirements for Technical Safeguards

Empower TM 2 Software

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

21 CFR Part 11 Compliance Using STATISTICA

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Navigating Compliance Landmines in EHR Documentation

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

FILEHOLD DOCUMENT MANAGEMENT SYSTEM 21 CFR PART 11 COMPLIANCE WHITE PAPER

The Impact of 21 CFR Part 11 on Product Development

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Oracle WebCenter Content

Did you know your security solution can help with PCI compliance too?

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Implementing Title 21 CFR Part 11 (Electronic Records ; Electronic Signatures) in Manufacturing Presented by: Steve Malyszko, P.E.

InfoCenter Suite and the FDA s 21 CFR part 11 Electronic Records; Electronic Signatures

EHR s-new Opportunities for the Confident Coder

U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP Records Management

Access Control and Audit Trail Software

Copyright. Disclaimer. Introduction 1. System Requirements Installing the software 4

Achieving PCI-Compliance through Cyberoam

Digital Signatures on iqmis User Access Request Form

Security Policy JUNE 1, SalesNOW. Security Policy v v

Password Self Help Password Reset for IBM i

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Savvius Insight Initial Configuration

Mobile Admin Security

ScreenMaster RVG200 Paperless recorder FDA-approved record keeping. Measurement made easy

DIGIPASS Authentication for GajShield GS Series

Patient Privacy and HIPAA/HITECH

Sponsor Site Questionnaire FAQs Regarding Maestro Care

Catapult PCI Compliance

HIPAA ephi Security Guidance for Researchers

intertrax Suite intertrax exchange intertrax monitor intertrax connect intertrax PIV manager User Guide Version

Implement best practices by using FileMaker Pro 7 as the backbone of your 21 CFR 11 compliant system.

Enterprise Single Sign-On City Hospital Cures Password Pain. Stephen Furstenau Operations and Support Director Imprivata, Inc.

PCI DSS Requirements - Security Controls and Processes

Electronic Prescribing of Controlled Substances: Establishing a Secure, Auditable Chain of Trust

RSA SecurID Token User Guide February 12, 2015

Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007

GE Measurement & Control. Cyber Security for NEI 08-09

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

CMS AND ITS CONTRACTORS HAVE ADOPTED FEW PROGRAM INTEGRITY PRACTICES TO ADDRESS VULNERABILITIES IN EHRS

5 Day Imprivata Certification Course Agenda

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

White Paper. Support for the HIPAA Security Rule PowerScribe 360

How To Control A Record System

California State Board of Pharmacy and Medical Board of California

RSA Authentication Manager 7.1 Administrator s Guide

CoSign for 21CFR Part 11 Compliance

Guide to the Configuration and Use of SFTP Clients for Uploading Digital Treatment Planning Data to IROC RI

A brief on Two-Factor Authentication

VPN Web Portal Usage Guide

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Standard: Event Monitoring

AuthentiMax Software for GloMax -Multi+

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

21 CFR Part 11 Electronic Records & Signatures

eztechdirect Backup Service Features

Agilent MicroLab Software with Spectroscopy Configuration Manager and Spectroscopy Database Administrator (SCM/SDA)

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

2: Do not use vendor-supplied defaults for system passwords and other security parameters

White Paper. Prepared by: Neil Shah Director, Product Management March, 2014 Version: 1. Copyright 2014, ezdi, LLC.

Wimba Pronto. Version 3.1. Administrator Guide

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Electronic Submission of Medical Documentation (esmd) CDA Digital Signatures. January 8, 2013

REGULATIONS COMPLIANCE ASSESSMENT

The CIO s Guide to HIPAA Compliant Text Messaging

Professional Mailbox Software Setup Guide

Drop Shipping. Contents. Overview 2. Quick Tips 3. Basic Setup 4. Drop Ship Options 5. File Pickup Options 6. Messages 8

Managing Users and Identity Stores

The City of New York

WHMCS LUXCLOUD MODULE

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

SonicWALL PCI 1.1 Implementation Guide

Secure File Transfer Protocol User Guide

Transcription:

MEDITECH CUSTOMERS & THE OIG QUESTIONNAIRE Hospitals that have received Medicare incentive payments for meaningful use of electronic health records have been asked by the Office of Inspector General of the Department of Health and Human Services to complete a survey aimed at identifying fraud and abuse vulnerabilities in electronic health record (EHR) systems. The OIG letter went to all hospitals that received an incentive payment between Jan. 1, 2011 and March 31, 2012, directed specifically to the CEO's or administrator's office. The letter requests that responses be submitted by Oct. 26. The OIG will use the information from the survey as part of a report expected out next year. OIG staff have informed the AHA that hospitals may take additional time to respond to the survey if needed. In addition, OIG will allow a health system to complete a single response for all facilities, where the survey responses would be the same for each entity in the system. Health systems that choose to submit a single response for all their facilities should contact Kim Yates at kim.yates@oig.hhs.gov prior to completing the survey to ensure that OIG properly accounts for their system-level response. AHA urges hospitals that respond to the OIG survey to e-mail a copy of their responses to the association at oigsurvey@aha.org. The following guide for MEDITECH facilities provides information to assist in correctly responding to specific questions about system functionality. Customers are still responsible for completing the survey and answering questions according to how they set up the system for their own use. Please note survey questions specific to hospital remain blank. 1. Please provide the following information for the individual(s) completing this questionnaire: 2. What type of EHR technology does this hospital use? 3. How many years has the hospital used any EHR technology? 4. Is this hospital part of a network of hospitals that use the same EHR technology? 5. How are diagnoses and procedures coded at this hospital? MEDITECH does allow for E&M coding using physician documentation for notes within EDM and MPM. Site determines whether this feature is in use as part of physician documentation. 6. Does this hospital have plans to adopt computer-assisted coding? 7. Does access to the hospital EHR technology require the following user authentications? A. Unique user ID. For all MEDITECH platforms Magic, Client/Server, 6.0, and 6.1.

Administrator users can define usernames based on any standard. The healthcare organization has the flexibility to decide the format of usernames. B. Password MAGIC and Client/Server Platforms To prevent unauthorized users from signing-on to the system, MEDITECH provides comprehensive password requirements for authentication. The healthcare organization also has the option of using network authentication processes (e.g., Active Directory) independent of MEDITECH for password management. 6.0/6.1 Platform All password management is controlled by the healthcare organization network authentication processes and is independent of MEDITECH. As such, so long as a user is defined in the MEDITECH system, his or her network password will also provide authentication to the system. This eliminates the need to remember multiple passwords or re-entering a password to sign into the MEDITECH and other systems. C. Token-based (e.g., identification card) Optional. For all MEDITECH platforms Magic, Client/Server, 6.0, and 6.1. Partnered with Imprivata, Forward Advantage offers advanced authentication options, which include USB tokens for MEDITECH healthcare organizations. D. Biometrics (e.g., fingerprints) Optional. For all MEDITECH platforms Magic, Client/Server, 6.0, and 6.1. Partnered with Imprivata, Forward Advantage offers advanced authentication options, which include biometrics for MEDITECH healthcare organizations. E. Public Key (e.g., PKI, digital certificates) Optional. For all MEDITECH platforms Magic, Client/Server, 6.0, and 6.1. 8. Has the hospital implemented the following policies and procedures regarding access to the EHR technology? A. Automatic user logoff/session timeout

System has this capability for all MEDITECH platforms Magic, Client/Server, 6.0, and 6.1. Site will indicate whether it has implemented policies and procedures for this. MEDITECH provides automatic timeout and suspend capabilities, which suspend a user's session and then can log them off of the system after a user-defined period of inactivity. Suspended users are required to re-enter a PIN number in order to continue with their session. In addition, some MEDITECH customers utilize proximity monitoring devices, which automatically suspend a user's session once they leave the PC and enable them to continue their suspended session when they return. Pop-up warning messages are issued in advance of such disconnection. B. Minimum password configuration rules MAGIC and Client/Server Platforms When passwords are managed and established within the MEDITECH system, they can be alphanumeric and up to fourteen characters. They cannot be the same as the user mnemonic, first or last name of the user, or the same as the one-time password. Healthcare organizations also have the option of using network authentication processes independent of MEDITECH for password management. 6.0 Platform All password requirements are defined within the healthcare organization s network authentication environment. If a user is associated with a network user in the MEDITECH system, then access to the system will be authenticated at the point of initial network log on with no separate sign on required. C. Regular changing of password MAGIC and Client/Server Platforms Within MEDITECH, system administrators can define the number of days that the system will require users to change their passwords. Healthcare organizations also have the option of using network authentication processes independent of MEDITECH for password management. If this is the case, password expiration would be handled in the network authentication environment. Therefore, if a user's network password expires then so will his or her access to MEDITECH. 6.0 Platform All password expiration parameters are defined within the healthcare organization s network authentication environment. Therefore, if a user's network password expires then so will his or her access to MEDITECH.

. D. User Agreements or contracts to prevent sharing of passwords 9. Does this hospital allow any outside entity (such as a payer) access to the EHR technology? 10. How does the hospital allow outside entities access to the EHR technology? *12 and 13 have no questions.* 14. To what extent does the hospital consider the following to be barriers to allowing outside entities access to EHR technology? 15. Does the audit log record data for the following events? A. Each entry or access to the EHR B. Signature event (the proactive or auto default completion of a patient encounter) C. Export of EHR document (printed, electronically exported, emailed) MEDITECH patient audit log allows for tracking of exported data. However, this may be suppressed by MEDITECH upon request of the site. D. Amendments, corrections, or modifications of data E. Import of data F. Disabling of audit log, audit log cannot be disabled. G. Release of encounter for billing

H. Access by an authorized outside entity 16. Does the audit log record the following data? A. National Provider Identifier (NPI) B. Date/Time/User stamps C. Access type (creating, editing, viewing, printing, etc.), however print is suppressed by default unless requested by site to be on. D. Internet Protocol (IP)/ Media Access Control (MAC) address E. Network Time Protocol (NTP)/ Simple Network Time Protocol (SNTP) synchronized time F. Method of data entry (direct entry, speech recognition, automated, copy/import, copy forward, dictation) G. Date/Time/User stamp of original author when data are copied H. Date/Time/User stamp of original author if data are entered on behalf of another (e.g., an assistant enters clinical information for a physician) I. Other

Please specify: Date/Time/User stamp of original author, for emulation event and co-sign. 17. Is the audit log operational whenever the EHR technology is available for updates or viewing? 18. To what extent does the hospital consider the following to be barriers to having the audit log operational at all times? 19. Can the audit log be disabled? There are no commands to enable or disable audit logs all information is available to authorized users at any time. In addition, there is no limit to the amount of data stored in the MEDITECH system. 20. Who can disable the audit log? Other Please specify: The audit log cannot be disabled. 21. Can the audit log be deleted? The amount of days user audit logs are kept in the LIVE system is typically 180-365 days. This is up to the healthcare organization and is defined as a parameter. We recommend periodically archiving this data, so that even if the data from a few years ago is not sitting on the LIVE servers it can be pulled back from the archive. This allows you to always have the data at your disposal. 22. Who can delete the audit log? Other Please specify: specific person can delete the audit log. The amount of days user audit logs are kept in the LIVE system is typically 180-365 days. This is up to the healthcare organization and is defined as a parameter. 23. Can the audit log be edited?

24. Who can edit the audit log? Other Please specify: one can edit the audit log. 25. How long are audit log data stored? Data can be stored indefinitely. ARRA requirement is 6 years. There is no limit to the amount of data stored in the MEDITECH system. 26. Does the EHR technology allow for the destruction of EHR and audit log data according to the hospital's data retention policies? Best practice recommendations are to archive audit information, which will be file maintained by the transactional system. 27. Can the EHR technology produce a user friendly version of the audit log (i.e., a summary of audit data in a readable format or embedded in an electronic form) for transmitting, printing, or exporting? MEDITECH provides standard audit reports, which can be easily tailored to meet specific audit criteria. User and dictionary activity audit information is available and can be instantly viewed on screen, downloaded, printed, or emailed. Search parameters and reports also can be adjusted accordingly. Reports/logs can be downloaded utilizing Windows Print Manager. These reports can then be sent to an audit engine. Audit reports also can be exported into an audit engine in the appropriate format using our Data Repository, which provides a separate ODBC compliant database. 28. Does anyone at the hospital analyze the audit log data? 29. Which of the following individuals at the hospital analyzes the audit log data? 30. How often is the audit log data reviewed and analyzed?

31. To what extent does the hospital consider the following to be barriers to analyzing audit log data? 32. To what extent are physician progress notes handwritten and/or dictated instead of directly entered into the EHR at this hospital? 33. How are these physician progress notes maintained? 34. Why are physician progress notes not directly entered into the EHR? 35. How are physician progress notes entered into the EHR? 36. To what extent are narrative nursing notes handwritten instead of directly entered into the EHR at this hospital? 37. How are these narrative nursing notes maintained? 38. Why are narrative nursing progress notes not directly entered into the EHR? 39. How are narrative nursing notes entered into the EHR? 40. Are there limits on which EHR users are authorized to electronically export, transfer, or print EHR documents? 41. Does the EHR technology require the user to document why an EHR document was electronically exported, transferred, or printed? 42. Does the EHR technology have the capability to disable the Print Screen function?, via MS Windows print manager. 43. Does the hospital disable the Print Screen function for the EHR technology? 44. Do patients have the following electronic access to their EHR data? to pertinent selected sections. 45. To what extent does the hospital consider the following to be barriers to allowing patient access to their EHR data?

46. What procedures does the hospital require to identify patients upon check-in? 47. For each patient check-in, does the EHR technology have the capability to record which identification procedure was used to confirm patient identity? 48. Can an EHR document be modified after it has been finalized by a "signature event" (i.e., the proactive or auto default completion of a patient encounter)? 49. Are the original unmodified EHR data retained?, in draft status. 50. Can the following features be customized in the EHR technology? Copy/Paste Templates 51. Does the hospital have a policy regarding the use of the copy/paste feature in EHR technology? 52. Please describe the hospital's copy/paste policy: 53. Has the hospital implemented any of the following safeguards? 54. Please describe any other procedures, policies, or capabilities specific to the EHR technology that your hospital has implemented in order to maintain data integrity and prevent fraud.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information