The State Bar of CA recently published an article by Record Retrieval Solutions discussing how using a Medical Records Retrieval (MRR) service makes good sense for law firms. Here’s a link if you would like to read it in its entirety: State of CA Big News article
But there are other factors to consider when choosing an MRR. While most attorneys focus on compliance, there are additional considerations that are very specific to the safety and security of your client’s electronic personal health information or EPHI.
Let’s review the following checklist:
Location, Location, Location
Did you know that in an effort to keep their costs low, many MRRs actually store documents on servers that are located outside the United States? So in the event of a disaster, whether natural or man-made, those servers with your clients’ medical records MIGHT not be available – ever. Non US-based businesses can claim anything regarding their compliance with US laws. But in reality, how can you ever be sure that they will respond to a request from a firm based in the US? Sure they can be held accountable for breach of contract, but how long will it take them to respond? Are there the same security rules in place in an offshore country? Could you schedule a visit to see their compliance with their stated “hardened security” guidelines? If so, what are the costs of scheduling that inspection?
Microsoft SharePoint has become the de facto standard for sharing information among and between businesses and individuals in business. SharePoint has many outstanding features, including encryption, but that security is only as good as the IT maintenance being performed.MS provides frequent patches, updates and security fixes. And, as of July 14, 2015, MS no longer provides patches and updates for MS Server 2003 and/or MS Small Business Server 2003. It seems remarkable to think that some firms continue to use these more than a decade old servers. But “there are still millions of machines running Server 2003, with pockets of the software in most data centers” according to Computerworld.com magazine - Laggards Face Looking Windows Server 2003 Retirement
Regardless of the age or brand of storage, hardware or software, it is imperative that 128-bit industry standard encryption is deployed. As part of the vetting process of selecting an MRR service provider, proof of SSL 128-bit encryption is required.
Even with a solid site encryption in place, it is equally important for the documents, records, and other EPHI information to be protected with an even higher level of encryption. This is especially true when using mobile devices over open or unencrypted Wi-Fi hotspots. The web browser must support, and the website must insist on a 256-bit AES encryption key. Failure to provide this level of protection poses risks and potential liabilities to firms using remote devices to access client medical records.
User Name and Login Passwords
Can your MRR quote the guidelines for HIPAA compliance when it comes to passwords used to access on-line EPHI? If they do not mention case-sensitive when asked, you may be risking an unsecure access website.
Here we cite the specific HIPAA compliance rule: “In general, covered entities should be extremely cautious about allowing the offsite use of, or access to, EPHI. There may be situations that warrant such offsite use or access, e.g., when it is clearly determined necessary through the entity’s business case(s), and then only where great rigor has been taken to ensure that policies, procedures and workforce training have been effectively deployed, and access is provided consistent with the applicable requirements of the HIPAA Privacy Rule.” The HIPAA Privacy Rule: Standards for Privacy of Individually Identifiable Health Information, December 28, 2000, 65 FR 82462, as amended August 14, 2002, 67 FR 53182
Thus it is incumbent on the law firm to ensure that their MMR is providing a strong user ID and password. And that they ensure that trivial passwords are not used, and that a user will be locked out after several failures to attempt to gain access.
Phishing is a fraudulent attempt, usually made through email, to steal personal or client information. MRR services that use multiple URLs provide an opportunity for theft of client EPHI. Data that remains static present an opportunity for hackers to grab information that may remain resident after a session is over. Instead, use of Java-based technology provides dynamic rendering of data without the ability to track data through URLs. This is an extremely important addition to any checklist you are using when considering an MRR.
The above checklist is a good place to start when considering a Medical Record Retrieval service. Records Retrieval Solutions (RRS) is THE leader in ensuring complete and total compliance with the above checklist as follows:
- RRS servers are located in the United States, with a primary server in the state of Texas, backed up three times each day, and with a remote server backup in Arizona.
- Site Encryption: The RRS site is SSL certified using the 128 bit key. This certification is recognized around the world and assures you that the information accessed from, and provided to this site are safe.
- Data Encryption: This web application communicates with our web server using encrypted data, coming to the server, and returning data to the browser. This data is encrypted using the 256 AES encryption key, which meets and/or exceeds all government standards for data transmission.
- Passwords: User names and passwords required for accessing data are case sensitive, per HIPAA standards, with built in denial of access after multiple unsuccessful log-in tries.
- URL Phishing: This site uses a single URL and runs exhaustively on Java technology to ensure that data is dynamically rendered to the end user. Thus we remove the ability to track data through URLs. Documents stored on RRS servers are inaccessible via URL or other phishing methods. As documents are uploaded to this site, they are securely stored outside of the web folders. They can only be retrieved by our secure internal application. Documents that are requested from this site are dynamically accessed by our 256 bit encrypted code. Output is provided directly to the end user, ensuring that records can only be retrieved upon authorized request.
Records Retrieval Solutions wants to be your partner in lowering costs of requesting, collecting and managing your client’s EPHI. Contact us today at 866-211-7866 for a no-cost consultation on how our best practices go beyond ensuring HIPAA compliance, and reduce your risk.
Chuck Dart, President