Advertisement
We are in the process of checking HIPAA compliance, and have some questions about physician use of our EMR on their home (not company owned or maintained) PCs. What is the common consensus on this practice? We do not maintain these machines at all have no idea of their status as far as security is concerned. Other than setting up a secure VPN, we have nothing to with them.<\/p>\n
Any thoughts would be helpful.<\/p>","upvoteCount":3,"answerCount":13,"datePublished":"2008-08-13T11:00:40.000Z","author":{"@type":"Person","name":"staceypurdy2826","url":"https://community.spiceworks.com/u/staceypurdy2826"},"acceptedAnswer":{"@type":"Answer","text":"
I definitely would not allow it on machines of unknown condition. Here, we forbid users from using the medical systems from outside the office even on company-owned equipment. There are too many unknowns outside a controlled environment to risk patient data.<\/p>","upvoteCount":0,"datePublished":"2008-08-14T03:51:25.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/4","author":{"@type":"Person","name":"rich76474490","url":"https://community.spiceworks.com/u/rich76474490"}},"suggestedAnswer":[{"@type":"Answer","text":"
We are in the process of checking HIPAA compliance, and have some questions about physician use of our EMR on their home (not company owned or maintained) PCs. What is the common consensus on this practice? We do not maintain these machines at all have no idea of their status as far as security is concerned. Other than setting up a secure VPN, we have nothing to with them.<\/p>\n
Any thoughts would be helpful.<\/p>","upvoteCount":3,"datePublished":"2008-08-13T11:00:41.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/1","author":{"@type":"Person","name":"staceypurdy2826","url":"https://community.spiceworks.com/u/staceypurdy2826"}},{"@type":"Answer","text":"
Here the answer would be no. I’ve heard of other facilities doing this, but I wouldn’t do it without a very secure setup. A secure VPN and then a terminal server session that is locked down might do the trick<\/p>","upvoteCount":0,"datePublished":"2008-08-13T12:27:53.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/2","author":{"@type":"Person","name":"trevor2","url":"https://community.spiceworks.com/u/trevor2"}},{"@type":"Answer","text":"
Even a VPN might be a definate No-No as you are joining an unknown PC to your LAN even with a segment and proper firewall policy you are going to run into issues. I would suggest a terminal server properly locked down.<\/p>\n
Edit: as different from the terminal server suggestion above, just use an encrypted session, no “true” vpn to save confusion. I did this for a number of years with law enforcement.<\/p>","upvoteCount":0,"datePublished":"2008-08-13T13:11:25.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/3","author":{"@type":"Person","name":"DigitalBlacksmith","url":"https://community.spiceworks.com/u/DigitalBlacksmith"}},{"@type":"Answer","text":"
Thank you to all of you for answering. It is going to be very difficult to convince the physicians that they cannot do this anymore, but I agree that it is needs to be stopped. Thank you<\/p>","upvoteCount":0,"datePublished":"2008-08-14T05:53:13.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/5","author":{"@type":"Person","name":"staceypurdy2826","url":"https://community.spiceworks.com/u/staceypurdy2826"}},{"@type":"Answer","text":"
We use Citrix nfuse to publish our applications and securly deliver where needed. There is no need for a VPN and no PHI can be left on the client - so Yes.<\/p>","upvoteCount":0,"datePublished":"2008-08-14T05:56:05.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/6","author":{"@type":"Person","name":"john92444447","url":"https://community.spiceworks.com/u/john92444447"}},{"@type":"Answer","text":"
John’s on to something there, but if you go the Citrix route, you need to make sure your users aren’t saving patient files onto their local desktop. This can be a challenge teaching the doctors to pay attention to their environment. I have a patholigist here who after 3 months can’t tell his Citrix desktop from his local desktop.<\/p>\n
I’m with the majority here and think that it’s far simpler and much more elegant of a solution to have a blanket “no you can’t”. I wish I could get my Medical Director on board with it, though.<\/p>","upvoteCount":0,"datePublished":"2008-08-14T11:28:14.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/7","author":{"@type":"Person","name":"jbm8313","url":"https://community.spiceworks.com/u/jbm8313"}},{"@type":"Answer","text":"
We use a Juniper SA700 SSL/VPN appliance and a Citrix Presentation Server.
\nThe Juniper checks the machine logging in for Antivirus, Updates and others through ‘Host Checker’. The machine has to pass ‘Host Checker’ before it can go onto ‘Network Connect’ to gain access. Once connected, the docs log onto a Citrix Presentation Server. From there they cannot save the info to their desktop unless they email it to themselves. I am still trying to figure how to stop that.
\nThe best part is that this is all web based, so it is really easy for the docs, nurses and MAs. This works with Mozilla too.<\/p>","upvoteCount":0,"datePublished":"2008-08-21T14:40:38.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/8","author":{"@type":"Person","name":"philip","url":"https://community.spiceworks.com/u/philip"}},{"@type":"Answer","text":"
No matter how secure the system is, you cannot control who may see the information when an authorization user is logged in. A doctor may log in from home, leave it on and his kids and wife can see the data (instant ‘technical’ HIPAA violation). At work, a workstation is in a location that can only be accessed visually by authorized employees. At home, there is no way to control that. So the answer is no.<\/p>","upvoteCount":0,"datePublished":"2008-09-05T13:22:18.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/9","author":{"@type":"Person","name":"michaeltrombley2730","url":"https://community.spiceworks.com/u/michaeltrombley2730"}},{"@type":"Answer","text":"
With the way physicians in rural areas are stretched into several facilities, we have to give remote access to our physicians. We could not limit where a physician can access his patients info. We made an addendum to the hospital confidentiality document that all physicians sign when given admission priviledges to our facility that included how they were to conduct transactions via remote access.<\/p>\n
We use a Terminal Server that is access via the web. The particular server has just the 2 ports necessary for remote access open. Our Sonicwall does the rest.<\/p>","upvoteCount":0,"datePublished":"2008-09-08T05:15:45.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/10","author":{"@type":"Person","name":"tobanbarlow","url":"https://community.spiceworks.com/u/tobanbarlow"}},{"@type":"Answer","text":"
yep. The key in special circumstances is that you DOCUMENT the exception to a “normal” rule. If you do that, you meet HIPAA requirements.<\/p>","upvoteCount":0,"datePublished":"2008-09-08T07:44:55.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/11","author":{"@type":"Person","name":"michaeltrombley2730","url":"https://community.spiceworks.com/u/michaeltrombley2730"}},{"@type":"Answer","text":"
So does that mean the answer can be “yes” CanOpener?<\/p>","upvoteCount":0,"datePublished":"2008-09-08T07:47:20.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/12","author":{"@type":"Person","name":"philip","url":"https://community.spiceworks.com/u/philip"}},{"@type":"Answer","text":"
I’m in Europe and in our 1000-bed general hospital we have full access to all patient data from anywhere in the world through Citrix. Access is logged but that is the only restraint.
\nMaybe our situation is somewhat special as we see patients in several different locations and often in private practice too.
\nI must admit that is very useful to have ALL the medical data of the patient in front of you, including all prior visits with any physician, all results from the last 15 years, all x-rays and scanners and lab-results, etc…<\/p>","upvoteCount":0,"datePublished":"2008-09-18T10:06:41.000Z","url":"https://community.spiceworks.com/t/emr-access-at-home-yes-or-no/11289/13","author":{"@type":"Person","name":"frank19176543","url":"https://community.spiceworks.com/u/frank19176543"}}]}}