Assessing Technical Readiness
Assessing Technical and Security Readiness for Direct Electronic Health Record Access
Public health authorities (PHAs) may need to conduct internal capacity building before connecting with healthcare organizations (HCOs) to ensure their readiness to be a trusted partner and to access EHI and protected health information (PHI). This section presents specific steps to be considered by public health authorities (PHAs) in assessing their readiness to directly access EHI at HCOs.
For a more comprehensive overview of how to assess a PHA’s broad technology and informatics capabilities, refer to the Public Health Informatics Institute’s Informatics-Savvy Health Department Toolkit.
Why Assess Technical Readiness?
When PHAs request direct access to a provider’s electronic health record (EHR), they become external users within that provider’s health information technology environment. To build trust and gain access, PHAs must demonstrate that they can:
- Protect sensitive health data.
- Follow proper security protocols.
- Train public health professionals in safe and responsible system use.
This is not about having your own complex data exchange system, it is about being a secure, reliable partner within someone else’s.
What Should PHAs Assess?
Here’s a list of questions to assist you in evaluating technical and security readiness:
1. User Roles
✓ Has your PHA identified and defined the public health professionals’ roles for those who will need access to EHI (e.g., epidemiologist, investigator)?
2. Secure Workstations and Devices
✓ Has your PHA identified if any fieldwork involving EHI will take place on laptops or other storage devices?
✓ Are all computers used to access EHI encrypted, password-protected, and updated?
✓ Is data accessed through secure browsers or virtual private networks (VPNs)?
✓ Are screens locked after a defined amount of user inactivity?
3. Public Health Professionals’ Training and Accountability
✓ Do public health professionals understand what constitutes personally identifiable information (PII) and PHI?
✓ Do public health professionals receive training on HIPAA, data security and confidentiality procedures, and your agencies’ privacy policies?
✓ How often are training materials updated?
✓ Do public health professionals sign confidentiality agreements or attestations?
✓ Are public health professionals trained to only collect the minimum amount of information necessary for the public health purpose?
4. Audit and Monitoring
✓ Can your PHA track which patients were accessed within EHR systems and what data were accessed and when?
✓ Does your PHA regularly review access logs and investigate inappropriate use?
✓ Is your PHA able to report incidents, such as improper access, if they occur?
5. Written Policies and Procedures
✓ Does your PHA have written standard operating procedures (SOPs) for:
✓ Logging into and using provider systems?
✓ Responding to security breaches?
✓ Terminating access when public health professionals leave their positions?
✓ Can your PHA provide documentation if requested?
Quick Readiness Tips for PHAs
|
Do This |
Why it Helps |
|
Maintain a HIPAA compliance training log |
Demonstrates staff readiness |
|
Use VPN or secure access protocols |
Shows secure remote access setup |
|
Assign a Privacy & Security Officer |
Provides a go-to person for questions or concerns |
|
Review HHS or CDC public health privacy guidance |
Keeps your PHA’s practices aligned with national privacy and security standards |
For more information on data security and confidentiality see CDC’s Data Security and Confidentiality Guidelines: https://www.cdc.gov/sti/media/pdfs/pcsidatasecurityguidelines.pdf
