Phone: 1-800-624-8832 | Email: hsms.support@henryschein.com | Help Center
Blog
Mar 28

MicroMD Security Features Overview

  • Client Support Team, Henry Schein MicroMD
Back to blogMD

Understanding the HIPAA Security Rule

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes a national set of minimum security standards for protecting all ePHI that a Covered Entity (CE) and Business Associate (BA) create, receive, maintain, or transmit. The Security Rule contains the administrative, physical, and technical safeguards that CEs and BAs must put in place to secure ePHI as outlined below:

Administrative Safeguards
– Administrative safeguards are administrative actions, policies, and procedures to prevent, detect, contain, and correct security violations. Administrative safeguards involve the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that
information. A central requirement is that you perform a security risk analysis that identifies and analyzes risks to ePHI and then implement security measures to reduce the identified risks.

Physical Safeguards
– These safeguards are physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. These safeguards are the technology and the policies and procedures for its use that protect ePHI and control access to it.

Organizational Standards
– These standards require a CE to have contracts or other arrangements with BAs that will have access to the CE’s ePHI. The standards provide the specific criteria required for written contracts or other arrangements.

Policies and Procedures
– These standards require a CE to adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A CE must maintain, until six years after the date of their creation or last effective date (whichever is later), written security policies and procedures and written records of required actions, activities, or assessments. A CE must periodically review and update its documentation in response to environmental or organizational changes that
affect the security of ePHI.

To assist Covered Entities (CEs) and Business Associates (BAs) in meeting HIPAA Security Rule requirements to protect sensitive ePHI and in completing HIPAA Security Rule Risk Assessments, we’ve compiled the following information on MicroMD security, processes, policies and features related to:

  • ePHI encryption (Surescripts CIN & Henry Schein MicroMD Patient Portal)
  • Auditing functions (MicroMD PM & EMR)
  • Backup and recovery routines (Cloud‐based MicroMD)
  • Unique user IDs and strong passwords (MicroMD PM & EMR)
  • Role‐ or user‐based access controls (MicroMD PM & EMR)
  • Auto time‐out (MicroMD PM & EMR)
  • Emergency access (MicroMD EMR)
  • Amendments (MicroMD EMR)
  • Secure practice‐to‐patient communications (Henry Schein MicroMD Patient Portal)
  • Secure provider‐to‐provider email (Surescripts CIN)

Signed BAA Required for All MicroMD Clients: MicroMD requires having a signed BAA on file with every client.
The BAA outlines joint responsibilities between the CE and MicroMD for access, usage and protection ePHI during in the normal course of business.

Client Server Hosted MicroMD PM & EMR: If a CE using MicroMD PM and/or EMR hosts their own database on
their own network, it is the responsibility of the CE to ensure they assess, implement, test and monitor the required administrative, physical, organizational standard and policies and procedures needed to protect ePHI stored in and transmitted to and from their own network.

Cloud‐based MicroMD PM & EMR: In additional to the security features built in to the MicroMD PM & EMR software, clients hosting their data in our cloud environment have additional levels of security, including:

  • 24/7 secure data storage, access, monitoring and maintenance and 99% average uptime
  • Server tools including switches, firewalls, software and infrastructure support
  • Data disaster recovery and managed data backups
  • SSL 128 bit encryption
  • Unique logins and password for each user and audit trails for log‐in, log‐out and system access
  • System log‐off after a pre‐set length of inactivity
  • MicroMD PM
  • Access management through role‐based access, privileges and permissions for users and/or groups
  • Audit logging of failed login attempts
  • Specify password strength and reset requirements
  • Login in attempt and timed system lock out settings
  • Automatic lock based on established settings
  • Limit access to the system on established days and times

MicroMD EMR – 2014 and 2015 Edition CEHRT: MicroMD EMR was first certified by an Office of the National
Coordinator‐Authorized Certification Body (ONC‐ACB) starting with Version 7.5 in 2011 and continues to maintain compliance in accordance with the criteria adopted by the Secretary of Health and Human Services (HHS). 2014 Edition CEHRT for MicroMD EMR has been tested and certified to security requirements as per 2014 Edition 45 CFR 170.314 criteria. 2015 Edition CEHRT for MicroMD EMR will test and certify to security requirements as per 2015 Edition 45 CFR 170.315 criteria below:

  • §170.315.d.1 Authentication Access Authorization
  • §170.315.d.2 Auditable Events and Tamper‐resistance
  • §170.315.d.3 Audit Reports
  • §170.315.d.4 Amendments
  • §170.315.d.5 Automatic Access Time‐Out
  • §170.315.d.6 Emergency Access
  • §170.315.d.7 End‐User Device Encryption (We don’t store the data on the end user device (computer);
    data is only stored on a client’s server or in a secure Cloud server environment.
  • §170.315.d.8 Integrity
  • §170.315.d.9 Trusted Connection

If you have any questions about MicroMD security features, please contact

Client Support: hsms.support@micromd.com.

Lmicromd.com
P: 330‐758‐8832 • F: 330‐758‐0182 ‐ 760 Boardman‐Canfield Road Boardman, OH 44512 1
December 23, 2016
MicroMD Security Features Overview
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes a national set of minimum security standards for protecting all ePHI that a Covered Entity (CE) and Business Associate (BA) create, receive, maintain, or transmit. The Security Rule contains the administrative, physical, and technical safeguards that CEs and BAs must put in place to secure ePHI as outlined below (https://www.hhs.gov/hipaa/for‐professionals/security/laws‐regulations/):
 Administrative Safeguards – Administrative safeguards are administrative actions, policies, and procedures to prevent, detect, contain, and correct security violations. Administrative safeguards involve the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of workforce members in relation to the protection of that information. A central requirement is that you perform a security risk analysis that identifies and analyzes risks to ePHI and then implement security measures to reduce the identified risks.
 Physical Safeguards – These safeguards are physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. These safeguards are the technology and the policies and procedures for its use that protect ePHI and control access to it.
 Organizational Standards – These standards require a CE to have contracts or other arrangements with BAs that will have access to the CE’s ePHI. The standards provide the specific criteria required for written contracts or other arrangements.
 Policies and Procedures – These standards require a CE to adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A CE must maintain, until six years after the date of their creation or last effective date (whichever is later), written security policies and procedures and written records of required actions, activities, or assessments. A CE must periodically review and update its documentation in response to environmental or organizational changes that affect the security of ePHI.
To assist Covered Entities (CEs) and Business Associates (BAs) in meeting HIPAA Security Rule requirements to protect sensitive ePHI and in completing HIPAA Security Rule Risk Assessments, we’ve compiled the following information on MicroMD security, processes, policies and features related to:
 ePHI encryption (Surescripts CIN & Henry Schein MicroMD Patient Portal)
 Auditing functions (MicroMD PM & EMR)
 Backup and recovery routines (Cloud‐based MicroMD)
 Unique user IDs and strong passwords (MicroMD PM & EMR)
 Role‐ or user‐based access controls (MicroMD PM & EMR)
 Auto time‐out (MicroMD PM & EMR)
 Emergency access (MicroMD EMR)
 Amendments (MicroMD EMR)
 Secure practice‐to‐patient communications (Henry Schein MicroMD Patient Portal)
 Secure provider‐to‐provider email (Surescripts CIN)
P: 330‐758‐8832 • F: 330‐758‐0182 ‐ 760 Boardman‐Canfield Road Boardman, OH 44512 2
micromd.com
Signed BAA Required for All MicroMD Clients: MicroMD requires having a signed BAA on file with every client. The BAA outlines joint responsibilities between the CE and MicroMD for access, usage and protection ePHI during in the normal course of business.
Client Server Hosted MicroMD PM & EMR: If a CE using MicroMD PM and/or EMR hosts their own database on their own network, it is the responsibility of the CE to ensure they assess, implement, test and monitor the required administrative, physical, organizational standard and policies and procedures needed to protect ePHI stored in and transmitted to and from their own network.
Cloud‐based MicroMD PM & EMR: In additional to the security features built in to the MicroMD PM & EMR software, clients hosting their data in our cloud environment have additional levels of security, including:
 24/7 secure data storage, access, monitoring and maintenance and 99% average uptime
 Server tools including switches, firewalls, software and infrastructure support
 Data disaster recovery and managed data backups
 SSL 128 bit encryption
 Unique logins and password for each user and audit trails for log‐in, log‐out and system access
 System log‐off after a pre‐set length of inactivity MicroMD PM
 Access management through role‐based access, privileges and permissions for users and/or groups
 Audit logging of failed login attempts
 Specify password strength and reset requirements
 Login in attempt and timed system lock out settings
 Automatic lock based on established settings
 Limit access to the system on established days and times
MicroMD EMR – 2014 and 2015 Edition CEHRT: MicroMD EMR was first certified by an Office of the National Coordinator‐Authorized Certification Body (ONC‐ACB) starting with Version 7.5 in 2011 and continues to maintain compliance in accordance with the criteria adopted by the Secretary of Health and Human Services (HHS). 2014 Edition CEHRT for MicroMD EMR has been tested and certified to security requirements as per 2014 Edition 45 CFR 170.314 criteria. 2015 Edition CEHRT for MicroMD EMR will test and certify to security requirements as per 2015 Edition 45 CFR 170.315 criteria below:
 §170.315.d.1 Authentication Access Authorization
 §170.315.d.2 Auditable Events and Tamper‐resistance
 §170.315.d.3 Audit Reports
 §170.315.d.4 Amendments
 §170.315.d.5 Automatic Access Time‐Out
 §170.315.d.6 Emergency Access
 §170.315.d.7 End‐User Device Encryption (We don’t store the data on the end user device (computer); data is only stored on a client’s server or in a secure Cloud server environment.
 §170.315.d.8 Integrity
 §170.315.d.9 Trusted Connection
If you have any questions about MicroMD security features, please contact Client Support: hsms.support@micromd.com.

Return to the eNotes home page →

  

Do you know about the Help Center?

The MicroMD Help Center features a full functioning ticketing system where you can track your support requests and more!

Visit Help Center

Have you seen our blog?

blogMD features articles on regulatory issues in the healthcare industry, patient related topics and urgent care business.

Visit blogMD

eNotes Archive

Vol 43, Sep 2021

Vol 42, Jun 2021

Vol 41, Mar 2021

Vol 40, Dec 2020

Vol 39, Sep 2020

Vol 38, Jun 2020

Vol 37, Mar 2020

Vol 36, Dec 2019

Vol 35, Sep 2019

Vol 34, Jun 2019

Vol 33, Mar 2019

About The Author

Leave a reply

Your email address will not be published. Required fields are marked *