How Bronx RHIO Ensures Security

Security is central to everything we do.

Here are some ways we ensure that the data and systems in our care are secure:

 

Participant Risk Assessment (PRA)

The PRA is a questionnaire that we require every Bronx RHIO Participant organization to complete about their organization’s security practices and infrastructure. We use the provided information to help guide our Participants towards better security practices and to ensure every organization we integrate with is up to our security standards.

 

HITRUST Certification

The Bronx RHIO is required to obtain regular third party audits and security recertification via the Health information Trust Alliance (HITRUST). The HITRUST certification process establishes a Common Security Framework by combining several security standards and regulations required of healthcare organizations, including HIPAA, NIST 800-53, NIST Cyber Security Framework, MARS-E, and Meaningful Use. HITRUST certification ensures that the RHIO’s security environment and practices are up to the highest standard.

 

Vendor Risk Assessment

The Bronx RHIO guides all technology and EHR vendors we work with towards better security practices in order to best protect Protected Health Information (PHI). While working with the Bronx RHIO, each technology vendor performs a periodic risk assessment to assess physical and cybersecurity risk and adjust procedures accordingly.

 

Suspected Incidents Notification

The Bronx RHIO and all Bronx RHIO Participants are bound by the statewide SHIN-NY policy standards to collaborate in order to investigate and report any suspected security breaches or unauthorized uses to the state via a designated entity. The Bronx RHIO reports all such suspected incidents accordingly.

 

Continuous Monitoring for Breaches Requiring OCR Notification

The Bronx RHIO monitors the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) Breach Report for reports of any security breaches attributed to Bronx RHIO Participants or organizations undergoing the membership application process. As required by section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals on the OCR Breach Report. If any such organization is identified on the Report, the Bronx RHIO takes immediate action to investigate and address the risk to the RHIO and its other Participants.

 

User Authorization and Management

Only Authorized Users trained and credentialed by Bronx RHIO staff can access the Bronx RHIO Virtual Health Record (VHR) portal. Bronx RHIO staff audit VHR portal use to ensure credentialed Users access data only in ways that align with Bronx RHIO Policies & Procedures. Learn more about our Authorized User credentialing and training process here.

Participant Auditing

Bronx RHIO requires that all Participants participate in audits on a regular basis in order to ensure that the RHIO System is being used only for purposes authorized by the Participation Agreement and these Policies and Procedures, and that each individual who views the data through the RHIO System is doing so in a manner consistent with the Participation Agreement and these Policies and Procedures, including but not limited to the Privacy Policy and Procedure.

Audits include:

1.     Consent

2.     Treatment Relationship

3.     User Authentication

4.     Break the Glass

5.     Public Health Administration

6.     Organ Procurement Organization

7.     Audit Based on Complaint

For results of periodic audits click here.