Our practice would like to acquire an EHR from an Application Service Provider (ASP), what security questions should be asking of this vendor?
An ASP EHR is located in an off-site data center operated by the ASP vendor. Users normally access the EHR using a web browser and an Internet or other network connection. Typically, the vendor is responsible for the technical operations; while the customer configures the system features to meet its own purposes. The vendor charges a rental or subscription fee for use of the system. The primary advantages of this approach are that it relieves the physician office or clinic from having to acquire and manage computer equipment or software and replaces a capital purchase with an operating expense.
ASP EHR systems are not necessarily any less secure than locally installed systems and can often provide better security at lower costs. This is because the data center is professionally managed with attention to security discipline for system support, physical access, hardware configurations and software maintenance. Security costs are spread across the customers of the data center. Higher volume usage often results in cost-justification for stronger security controls.
Nonetheless, it is important to evaluate the security practices of the ASP provider. Below we list some key areas to assess to determine the appropriateness of the vendor's security practices:
E-mail the HealthIT e-mail box: firstname.lastname@example.org