Implementing an EHR inherently changes the way in which information is managed. This includes the scope of activities necessary for managing the security of EHR data.
EHRs have a number of security features that will require new administrative procedures for implementing and managing. For example:

1. Privilege management. Privilege management refers to the process of managing users and their rights to access specific EHR features and data. Most EHR access control is based on role and privilege assignments. Some EHR predefine roles while others allow the customer to create their own roles. Roles can be thought of as unique sets of features that occur across users. Individual users are assigned to one or more roles and inherit the user privileges that belong to the assigned role. Roles are typically defined when the EHR is first configured and periodically updated. The primary ongoing maintenance activity is to modify the user assignments as needed to respond to staffing changes. Role definition and creation is usually assigned to the EHR support staff, but user assignments can be performed by the office or HR managers.
2. Audit. An EHR system will provide a detailed record of access and modification to patient records. These logs play a vital role in the ongoing security management of the EHR system; but only to the extent that the logs are routinely reviewed. With appropriate training, access log review can be assigned to office or medical records staff or left to the EHR support staff.

EHR systems have a broader base of users than any other medical information system. Consequently it is wise to plan for increased training and support activities:

1. Training and Level One Support. EHR vendors normally provide "trainer the trainer" support in order to keep training costs to a reasonable level. This means that the provider must identify staff to be trained as trainers. Typically a "superuser" will designated as on-site trainer. These individuals then train other staff members and are available to routinely occurring questions regarding system use.
2. Site Administrator. There should be a single person at the provider site assigned responsibility to manage technical communications with the EHR vendor. The site administrator works with vendor's customer service staff to address operating, performance, feature enhancements, data integrity, software patches, software upgrades and other technical issues.

Policies and Procedures that details the organization's approach needs to be developed and implemented. These policies and procedures should be available in a written (which may be electronic) form. All required documentation should be retained for 6 years and be available to persons implementing the policies and procedures. Documentation should be updated periodically.

Tools:
HIPAA Security Series - Organizational Requirements and Policies and Procedures and Documentation Requirements - Developed by the Center for Medicare & Medicaid Services (2007). This tool includes a review of the Organizational Requirements and Policies and Procedures and Documentation Requirements standards and implementation specification listed in the Security Rule and discusses the purpose for each standard, and provides sample questions that covered entities and business associates may want to consider when implementing these standards.

Resources:
NIST Computer Security Resource Center Role Based Access Control (RBAC) is a reference for this topic (2008). It contains material on RBAC concepts, cost-benefits, design and implementation issues, and standards.
Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices - From the Office of the National Coordinator (ONC). This guide is intended to assist small health care practices in reassessing their existing health information security policies in adopting and implementing EHRs. This guide poses questions that your practice can use to identify appropriate safeguards and conduct risk assessments to secure electronic health information.