The security setup of your system is very important to the daily activities of your staff as well as the security of your practice and patients. Most likely, the security groups in your system were defined during the initial implementation of your EHR. During the implementation there are many moving parts and GE Centricity security just tends to be something that people do to check off the list and never go back to revisit the decisions. Over time, these securities may change due to system upgrades and employee changes but most practices do not go back and update the security settings accordingly.
When reviewing security access for your practice, you should consider a few key areas:
- What groups of employees are currently setup in your GE Centricity security in Administration?
- Have there been any additions or deletions to those groups?
- Are your securities setup at the group level or the user level?
- Are there users in your system that are no longer with you that still have a userid?
- Does the security access of the group meet the requirements of the job function (too much or too little security)?
We have found that many practices have the security of their system setup on the individual user basis instead of the group level. Security by user should be limited to only those rare exceptions that someone does not fit into a group. The process of managing security can be complex and time consuming. GE Centricity security makes it simple for practices to manage security at the group level. Establishing the correct security groups will go a long way to helping you maintain the security of your system.
MACRA/MIPS & HIPAA Security
If you are are planning to attest to MACRA/MIPS or just to review your current HIPAA compliance, a security review is necessary. As part of the Advancing Care Information portion of MACRA, a formal Security Risk Assessment is required. During the security risk assessment, the security expert will review your setup and make some recommendations. These recommendations will help you to determine any areas that may be of concern for your practice. It is also important to note that beyond MACRA, there has been an increase in HIPAA violations which could cost your practice a signficant amount of money.
The best time to consider making these security changes is during an GE Centricity optimization project which will assist in determining any workflow or system gaps which may have been missed during your initial implementation. Another option is to review your security during a system upgrade. Overall, reviewing your system security will not only start getting you into HIPAA compliance but will also make the administrative burden of user management simpler for the practice.