35 Compliance Questions You Should Ask Your EHR and PM Software Vendors

If your vendors aren't vigilant about privacy and security, you could find yourself drowning in HIT compliance woes.

These questions, adapted from the National Cyber security Center of Excellence, cover the topics they should be thinking about as they look out for your compliance needs. Ask a few to keep vendors on their toes and reduce your risk.

Vendor Agreements

  • Are you willing to sign a comprehensive business service agreement?
  • Are you willing to confirm compliance with HIPAA Privacy and Security Rules, and willing to be audited, if requested?

Third-party Application Integration

  • Does my practice need to integrate the cloud-based EHR system with other in-house products, such as practice management software, billing systems, and email systems? If so, what are the implementation procedures and techniques used?
  • What security features protect the data communicated among different systems?

Personal or Device Authentication and Authorization

  • Do you restrict mobile device types that can access the system?
  • What are the security compliance polices for using my own device to access the cloud-based EHR system?
  • If a device is lost, stolen, or hacked, what countermeasures prevent protected data from becoming compromised?
  • Does the cloud-based EHR system require a user to be authenticated prior to obtaining access to PHI?
  • What are the authentication mechanisms used for accessing the system?
  • Are user IDs uniquely identifiable?
  • Is multifactor authentication used? Which factors?
  • If passwords are used, does the vendor enforce strong passwords and specify the password's lifecycle?
  • Does the system offer role-based access control to restrict system access to authorized users to different data sources?
  • Is the least privilege policy used?

Data Protection

  • What measures protect the data stored in the cloud?
  • What measures protect the data from loss, theft, and hacking?
  • Does the system back up an exact copy of protected data?
  • Are these backup files kept in a different location, well protected, and easily restored?
  • Does the system encrypt the protected data while at rest?
  • What happens if you go out of business? Will all clinical data and information be retrievable?
  • Do you have security procedures and policies for decommissioning used IT equipment and storage devices which contained or processed sensitive information?

Security of Data in Transmission

  • How does the network provide security for data in transmission?
  • What capabilities are available for encrypting health information as it is transmitted from one point to another?
  • What reasonable and appropriate steps are taken to reduce the risk that PHI can be intercepted or modified when it is being sent electronically?

Monitoring and Auditing

  • Are systems and networks monitored continuously for security events?
  • Do you log all the authorized and unauthorized access sessions and offer auditing?
  • Does the system have audit control mechanisms that can monitor, record, and/or examine information system activities that create, store, modify, and transmit PHI?
  • Does the system retain copies of its audit/access records?
  • How do you identify, respond to, handle, and report suspected security incidents?


  • Do you offer the ability to activate emergency access to its information system in the event of a disaster?
  • Do you have policies and procedures to identify the role of the individual responsible for accessing and activating emergency access settings, when necessary?
  • Do you provide recovery from an emergency and resume normal operations and access to patient health information during a disaster?

Customer and Technical Support

  • What is included in the customer support / IT support contract and relevant service level agreements?
  • Can you provide a written copy of your security and privacy policies and procedures (including disaster recovery)?
  • How often do you release new features? How do you deploy them?
This article originally appeared in HIT Help Section of Eye Care Leaders