Beaverlog Tips: Volume 28 - September 9, 2005

The THERAPIST Pro Classroom Instruction

We have scheduled a one-day class on The THERAPIST Pro which will be presented on Saturday, October 15, 2005. It will cover features common to The THERAPIST for Windows 1.0, 2.0, and Pro 2.5 as well as some of the newer features added in Pro 2.5. It does not cover The THERAPIST EZ. If there is enough demand we will schedule a class on EZ in the future. Specific topics to be covered include:

  • General Usage Tips
  • Security
  • Entering Services and Payments
  • Printed and Electronic Claims
  • Patient Billing
  • Provider Payroll
  • Making Backups

The class will be held in Corvallis, Oregon. Registration is limited to 18 students. The cost of the class is $350 per person ($325 if you send two or more). Additional details, discounted hotel reservation, and travel information can be found here .

Security Issues

Requiring Passwords

Your first step in securing access to protected data in The THERAPIST is to require passwords when logging in to the program. You must be logged into The THERAPIST with administrator rights to change security options. Go to Setup >  Security > Options to make passwords required. Check the box "Require login passwords." If users have not yet set up their passwords, they will be required to do so when they next log in.

Also on that screen is an option to assign individual security rights to users. It is important that this also be checked so that you can determine who is allowed access to which data and program areas.

Security Group Access Rights

In The THERAPIST, access to particular program functions and sensitive data is controlled by security groups (Setup >  Security > Security Groups). Every user is assigned a security group. When a user logs in, the program reads the access rights from the assigned security group and these remain in effect until that user logs out or another user logs in.

You can use the supplied four security groups (System Administrator, Master User, Standard User, and Minimal User) or add your own. Whether you are using the above four groups or adding your own, you can control the detailed access rights of each group. The sole exception is the System Administrator group. Users assigned to this group always have total access to all data and program functions.

When you edit a security group, you will see a list of access "doors" that you can enable by adding a check or disable by removing it. This gives you very fine control over what access rights you are giving to the security group and to the users assigned to the group.

Different Security for Different Practices

If you have licensed multiple practices, you can give users different access rights in each practice. In the user options screen (Setup >  Security > Options) directly below the drop-down list where you assign a security group, you will find a button labeled, "Override Security Group for Each Practice." If a user has been assigned to the System Administrator group, they have all access so this button is not available.

When you click the button, you will see a list of all of your practices and the security group that will be in effect when the user selects that practice. Their base security group, the one you set on the user options screen, is the listed for each practice and is shown in angle brackets and a dimmed color, unless you change it. You can double click a practice or highlight it and click the lookup button to assign a different security group for that user in the highlighted practice. To reset back to their default security group, either reassign the original group or highlight and click the reset button.

You may have noticed when editing a security group that each access door has either "Global" or "Practice" in the Type column. When you assign different security groups for different practices, the user's base security group will control all access doors marked Global since these are functions or data that is not related to any particular practice. The doors marked "Practice" will be overridden by whatever security group selected for a particular practice.

The THERAPIST and Beyond

A password is no good if everyone knows it. Some general dos and don'ts for passwords include:

  • Don't use something obvious like a child's or pet's name.
  • Don't put your password on a sticky note stuck to your monitor or anywhere else someone can find it.
  • Use passwords that combine letters (or words) with numbers and punctuation.
  • Change your password from time to time.

The data files used by The THERAPIST are not encrypted and can be read by anyone with the proper software programs. It was decided that encrypting each file would have a large negative impact on legitimate users and would slow system performance. Despite the fact that the data is not encrypted, unless someone has a good understanding of relational database theory and practice as well as the data definitions used by The THERAPIST, this will do them little good. For example, while they can read a service record, it is not easy to figure out which patient that service applies to.

Still, it is important not to rely solely on the secrity built into The THERAPIST. Use a BIOS password that prevents anyone without the password from starting your computer. Unless you have Windows NT, 2000, or XP, don't rely on Windows login passwords. All they do is let you have different preferences for each user, there is no security associated with them. Windows NT, 2000, and XP use much stronger protections and the startup passwords on these operating systems are pretty good.

Summary

The security settings in The THERAPIST give you considerable control over who has access to what. This is important since security is a major requirement of HIPPA.