Open EMR & Offsite access ideas

phineas629 wrote on Thursday, January 08, 2015:

Hi all,

I’m new to Open EMR. Still working out the details of how to implement properly for my case.

I have a situation where my providers are visiting clients offsite. The providers do not report to the office on regular intervals. I want the providers to be able to update their hours on a daily basis.

I’m concerned about security. Off site access to Open EMR does not seem like a great idea to me but there is no other options in my case.

So far I thought about possibly creating a website for providers to enter time sheets which would then need to be uploaded into Open EMR. The other option is allowing access to Open EMR itself on our server. Both choices has security concerns for me. Any ideas or experience of how I can pull this off?

Thank you

sunsetsystems wrote on Thursday, January 08, 2015:

A couple of options come to mind.

One would be to put the server on the Internet, but require a client side SSL certificate in order to connect. Do a web search for “apache client side ssl certificates” for more about that. The main risk would be if the provider’s laptop is stolen.

Alternatively, with some programming work the WordPress patient portal could be enhanced to accept whatever information you are wanting to import from the providers. That would eliminate the need to put the OpenEMR server on the Internet at all, but would be more expensive due to the development effort.

Rod
http://www.sunsetsystems.com/

fr4nkie wrote on Thursday, January 08, 2015:

How are you keeping track of employee hours in OpenEMR? Our office uses TimeTrex for time management. It’s open source and runs alongside our OpenEMR installation. Both are open to the internet so we can access from our three satellite locations.

If you do allow access to your webserver, encryption is impertive. Would also be wise to include a robots.txt to the base OpenEMR directory to prevent webcrawlers from indexing.

If you’re not comfortable with that, you could look into a LogMeIn type solution to access a computer from withing your network remotely.

mdsupport wrote on Thursday, January 08, 2015:

It is safer to be a client and fetch information from outside world. If this is an inbound update and there are no additional details (e.g. patient, codes etc.), a simple email or sms interface should do the trick. If you want to get fancy, emr can send out an acknowledgement.

fsgl wrote on Thursday, January 08, 2015:

Skimmed over the old thread.

If patients are elderly, their verification of hours worked, must be low tech.

Because security is a major concern, the time management software can run in parallel with OpenEMR & not integrated with it.

Jpeg files of the patient signatures on the bottom of the logs can be uploaded to the main server.

mdsupport wrote on Thursday, January 08, 2015:

Ugh. Do not predicate EMR implementation on smoothly running time reporting system - this thing is not designed for catching naughty employees taking care of absent-minded patients.

phineas629 wrote on Thursday, January 08, 2015:

In my case there is roughly 100 providers. I would need providers to access off site. I would also need the clients to be able to validate the services provided due to compliance requirements.

Rod - I would be interested in programming the possibility of making a portal for the provider. How long would the process take?

Frankie - I’m keeping track through Quickbooks. I was considering it for doing payroll for the company. TimeTrex seems like a great idea. My concern is making large batch updates to Open EMR with reports from time trex. I didn’t remember seeing a module for uploading timesheets or encounters. Would I have to resort to opening MySql to perform updates and will this be a major security concern? I also need my clients to validate provider work so not sure of how I could accomplish this in Time Trex.

MD Support - where can i find out acknowledgement information, is it in the wiki?

Thanks for all the replies. I am new to this and have been very afraid to take any steps due to security concerns of offsite access.

phineas629 wrote on Friday, January 09, 2015:

fsgl - is there a walkthrough or documentation for such a process. Our agency has been paper for the last 10 years so this is a major step for us and we’re all freaked out due to compliance concerns. Has someone on this forum been able to successfully implement such a solution?

thanks

sunsetsystems wrote on Friday, January 09, 2015:

Phineas - re the portal - depends on the details of what you want it to do. If you’re interested you can email me, rod@sunsetsystems.com.

Rod
http://www.sunsetsystems.com/

visolveemr wrote on Friday, January 09, 2015:

Phineas

We would like to know what kind of clinical information the providers will access during their offsite visit.
If they access all the clinical informations of OpenEMR, then the appropriate solution is to put the OpenEMR server on the internet with utmost security.

And for security purposes:

1. Make sure your site is https enabled.
2. Make sure the providers are using Client Side Certificates
3. The access control is appropriate as per your requirements
4. If physicians/staff are using their own devices to access PHI, ensure BYOD HIPAA compliance is implemented and instruct the physicians/staff to follow the same.

If the providers will access only certain sections in openEMR, then either of following solutions can be used.

1. Provide much restricted access control in OpenEMR using ACL so that they can access only the minimal amount of data.

2. Other way is to create a minimal portal for the provider, to get the patient and other clinical details. Sync those data with the OpenEMR at regular intervals.

At any point of time, the providers need to ensure the physical safety of the device (from being lost or stolen) they are using.

Thanks
OpenEMR Customization/Support Team,
ViSolve Inc
services@visolve.com
Demo’s @ ViSolve Demo Library

fsgl wrote on Friday, January 09, 2015:

Additional thoughts.

Patient verification:

A possible solution is Paint in Windows or gPaint in Linux (forget about Gimp, it’s too hard to use). A template is quite easy to rustle up. Even elderly patients are accustomed to signing their names on a touch pad in the grocery store. See attachment below.

The employee can do this offline; save the document & send it back to HQ at the end of the day. The drawing application saves employees the bother of scanning & management the hassle of dealing with paper.

The mousepad on a little netbook may not cut it; therefore an IPad or a device that enables better fine motor control may be necessary.

Above is an update version of

Another advantage: self-enforcing; no upload, no pay.

If the verification needs to be within OpenEMR, the Draw module of Ray Magauran’s Eye Exam form can be called into service.

Security concerns:

You should be worried about potential breaches of HIPAA. One big, fat fine can mean the demise of your business. With 100+ users, security is not a DIY project.

Consider tunnels & 3 step authentication for login. In addition to the username/password, there are site verification (minimizing re-routing to a bogus site) & one-time security codes texted to the employee’s cell phone.

No HIPAA concern if another patient views log verification.

One of the FAQ answered by our Medical Society lawyers when HIPAA first appeared, if sign-in sheets represented a breach. Answer: if only 2 pieces of info, name & address, o.k.; but not name, address & phone number.

A “how many angels can dance on the head of a pin” type query.

Time for brainstorming with Rod.

blankev wrote on Friday, January 09, 2015:

This might be an indication on how to make a start:

What they can do, YOU can do better…

mdsupport wrote on Friday, January 09, 2015:

Phineas: There is bit more clarity now. We deal with home health agencies and have a decent understanding of their challenges. If you are going to use openemr as the main system for that business, you will have lot more flexibility if you make the system globally accessible in a secure manner rather than recreating the existing functionality in a portal / remote interface. In addition to options suggested earlier, depending on your budget you could also check OpenVPN and some of the commercial options for vpn over http which will let you have lot more centralized control over remote access. Your development funds can then be used for several enhancements you will need as the operation matures.

Home health will be a great segment of new OpenEMR users if you contribute your changes to the community.

phineas629 wrote on Saturday, January 10, 2015:

Thank you everyone for the knowledge sharing. I will definitely need support to walk through the process. I’d be interested in getting help. My budget is not the largest but I hope we can reach an agreement. Please share with me how you would tackle my problem and the estimated associated costs. I realize there will be unforeseen costs and that will probably be due to my inexperience. This is all new for me so please bear with me through my incompetence and stupid questions.

My email is phineas629@hotmail.com

rpl121 wrote on Saturday, January 10, 2015:

One way to achieve remote access is to use a secure shell tunnel. Typically a server can accept ssh connections through port 22. If you look at the instructions for the ssh tunnel, you can redirect a given port on the host to another port on the server or any other computer on the same LAN as the server. The consequence of this is that one can use an ordinary browser on a remote laptop to connect to a port on the laptop that is connected securely to the server. If you are in Windows, just use putty.exe. If you are in Linux, you can use openssh. If you want/need better security than password only, consider security certificates and maybe even with a port other than 22 just to throw off potential crackers. Multiple users can log on simultaneously using this method.

sunsetsystems wrote on Saturday, January 10, 2015:

Another low-tech way to improve security against random hacking is to give your OpenEMR web directory an obscure name, and make sure that the web server will not list the contents of the parent directory (an empty index.html file in this parent directory will serve that purpose).

However do always be sure to use encryption (SSL).

Rod
http://www.sunsetsystems.com/

fsgl wrote on Saturday, January 10, 2015:

Assuming that you submit claims to Medicare Part A; you will be delighted to know that Terry Hill of Lilly Systems & Solutions, (e-mail terry@lillysystems.com), has recently completed the 837I module for electronic claims submission.

This brand new module has not been incorporated into version 4.2.0.

Office Ally is a very decent clearinghouse for e-claims.

If our ratio of non-participating/governmental claims to the total is less than 50%, there is no charge. Each month’s ratio exceeding 50% will incur a charge of $19.95.

I would assume that your much larger volume of monthly claims will fall under another fee schedule.

The money saved on paper claims can be used to beef up security.

You will find the Fora to be very friendly & helpful. The transition from paper to digital is quite daunting. Professional support will ease the way.

Feel free to ask any question, however rudimentary. If you should ask the same question repeatedly, the worse will be a link to the Wiki in response.