The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

Our practice would like to acquire an EHR from an Application Service Provider (ASP), what security questions should be asking of this vendor?

An ASP EHR is located in an off-site data center operated by the ASP vendor. Users normally access the EHR using a web browser and an Internet or other network connection. Typically, the vendor is responsible for the technical operations; while the customer configures the system features to meet its own purposes. The vendor charges a rental or subscription fee for use of the system. The primary advantages of this approach are that it relieves the physician office or clinic from having to acquire and manage computer equipment or software and replaces a capital purchase with an operating expense.

ASP EHR systems are not necessarily any less secure than locally installed systems and can often provide better security at lower costs. This is because the data center is professionally managed with attention to security discipline for system support, physical access, hardware configurations and software maintenance. Security costs are spread across the customers of the data center. Higher volume usage often results in cost-justification for stronger security controls.
Nonetheless, it is important to evaluate the security practices of the ASP provider. Below we list some key areas to assess to determine the appropriateness of the vendor's security practices:

  • The ASP vendor's ability to provide a satisfactory security assessment of its operations
  • The circumstances under which the ASP personnel may access the health records of your patients
  • The ability of the ASP to  identify and respond to security incidents
  • Identify the manner in which the logical access to your EHR data will be segregated from the data from other provider systems


  • Key questions (Word - 56KB) go to exit disclaimer - Developed by Tunitas and includes questions to ask your ASP to determine the appropriateness of their security procedures.
  • ASP Vendor Security (PDF - 350KB) go to exit disclaimer - a  SANs publication (2006) that provides a minimum set of ASP security criteria for 6 categories--general, physical, network, host, web, and encryption-- that can be used as part of the RFP process.
  • Evaluating ASP Security go to exit disclaimer - information from Cisco on ASP security topics and best practice recommendations.
  • URAC HIPAA Privacy Accreditation go to exit disclaimer - an accreditation program for health care organizations that outlines a privacy framework for an effective compliance program
  • URAC HIPAA Security Accreditation go to exit disclaimer - an accreditation program for health care organizations that outlines a security framework for an effective compliance program
Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed