Beaverlog Tips:  Volume 43 - March 12, 2009

Login Security

There are four simple steps you can take to take full advantage of the login security built into The THERAPIST, both Pro and EZ.

  1. Require login passwords and individual security.
  2. Assign each person who uses The THERAPIST their own login. This may seem obvious but you would be surprised how many people we talk to who use only the Admin login and never even changed the login password.
  3. Assign each user to an appropriate security group. Not everybody needs to be a System Administrator and by placing people in this group you may be compromising both the security and the integrity of your data.
  4. Take control of the access rights associated with each security group.

To require login passwords, go to Setup > Security > Options. Check both the Require login passwords and User individual security rights assignments check boxes. The THERAPIST Pro has an additional option to require users to change their passwords periodically. A value of 90 days is not unreasonable. Leaving it as zero disables this feature. Click Ok to save your changes.

Determine Security Group Needs

Before you start making other changes in The THERAPIST, it is a good idea to know what changes you need to make. Many of us think and work better on paper than on the screen so I recommend taking out a piece of paper, well, perhaps a couple of pieces of paper. Make a columnar list of everybody who will be using The THERAPIST along the left side. Make a second list with two entries: System Administrators and Master Users. You will probably be adding one or more names to this list later on.

Now, think about each of the people on your list, how they will be using the The THERAPIST, and what they need to be able to do. For example, user Susan needs to enter services and payments but not add or delete patients. Also, she doesn't need to add more users or modify the program's security features.

With this in mind see if you can group your users according to what they need to do. Don't get too detailed yet, just determine how many groups you need. Usually the users will fall naturally into a small number of groups. I usually think first about who needs total access to everything including modifying security. That list should be very small, perhaps only one person. If you make everybody an administrator, you defeat the purpose and run the risk of losing data due to an inexperienced or disgruntled user. Put the letter A next users who need to be System Administrators to these names.

Next think about who needs to have access to everything except security. These will be your Master Users. Put the letter M next to their names.

If everybody else will require the same types of access, we'll call these Standard Users. Put the letter S next to these names. If, instead, you need more groupings, give each group a name and write a letter or number next to their names according to the group to which you will assign them.

Now it's time to go into The THERAPIST and implement your security strategy. You have already done steps 1 and 3 so now we'll be doing step 4 next and step 3 last. Don't worry about getting everything perfect. Everything is changeable and you can tweak your settings later as necessary.

Security Groups

In The THERAPIST, go to Setup > Security > Security Groups and notice that there are already four groups waiting for you. You cannot change the System Administrator security group, they always have rights to anything and everything, so start with the Master User. Highlight this group and click the Change button to edit the group rights. What you will see will be a list of security "Doors". You can grant or remove access for each of these doors by checking or unchecking the check box for that door. The doors are grouped into logical categories to make them easier to understand. Additionally, doors are either Global or Practice doors. Global doors control access regardless of which practice data set you are working in. Practice doors can be set separately for each practice. More about this later.

When you highlighted a door, a description of the door is shown in the box on the right. You can move up and down using the arrow keys. For this security group, determine whether users in this group should be able to access the functions controlled by each door. Click a door on the list with the left mouse button to change its status from checked to uchecked or from unchecked to checked.

The list is longer than will fit on most screens (you can stretch the window to make it bigger) so don't forget to examine the doors that are off the screen.

When you are finished setting the doors, click the Ok button to save your changes. You can then edit the other security groups or add more if you need to. When finished, close the security groups list.

Users

Next, go to Setup > Security > Users. There will always be at least one user entered: System Administrator. You cannot delete this user or change it's logion name but you can and should change the password for the Admin login.

If you have not yet given each user a unique login, use the Insert button to add them. Enter their actual names as well as a login name and password. Convenient login names can be their first name, their last name, the first initial and last name or first name and last initial. It doesn't matter what you choose but be consistent.

You cannot see the password you enter, only a series of asterisks, but you are required to re-enter it to be sure you entered it correctly. For the passwords you assign, you have some choices. You can give everyone the same password then require them to change it or you can assign unique passwords to each user. If you start by giving everyone the same password, use something short like "p". That way, you can check later on to see if they actually did change their passwords by counting the number of asterisks in the password field.

Next, use the Security Group drop list to select the security group for this user. If you have multiple practices in your data and you want the user to have different access rights for each practice, you can assign a different security group to the user for each practice. You need to set the per-practice security groups for practices where you want them to have a different security group.

If your users have already been entered, you should still go into their record to check or set their security group assignments.

There is one more option that affects security. On the Options tab is a check box labeled Active user. Never delete a user from the system. Instead, make them inactive by removing the check from this box. Inactive users are unable to login.

There are other settings for the users but they are unrelated to security.

What About Aeris Basic?

If you are using Aeris Basic instead of The THERAPIST, everything is simpler, less flexible to be sure, but much simpler. There are only two security groups and their access rights are pre-determined. Users can be either a normal user or a system administrator. Only system administrators can access the following functions:

  • Restore Offline Backup
  • Restore Quick Backup
  • View Login Users
  • Add a New Practice
  • Edit Program Preferences
  • Delete providers
  • File Utilities (Administrator Utility)
  • Disable Aeris Basic (Administrator Utility)

As in The THERAPIST, System Administrator assignment should be very limited.

Conclusion

Your data is important. So is the confidentiality of patient's protected health information and both are covered under HIPAA laws. The THERAPIST Pro, The THERAPIST EZ, and Aeris Basic all let you control who has access to what but this is meaningless unless you enable it and manage it properly.

TIP: Diagnosis on Claims

Insurance claims, whether printed or electronic, include patient diagnosis codes. The CMS-1500 can list up to four diagnosis codes per claim (page). NSF and HIPAA standard ANSI X12 claims can include up to eight diagnosis codes per patient claim. Because associating a particular service procedure with particular diagnosis codes is complex, it is up to you to tell The THERAPIST or Aeris Basic which diagnosis codes are associated with each service so that it can correctly generate your claims. For each service, you indicate which of the diagnosis codes to reference. How you do this is simple but different in The THERAPIST than in Aeris Basic.

For services in The THERAPIST, go to the Diagnosis tab and check the codes associated with that service. In Aeris Basic, enter the diagnosis code pointers 1 through 4 to associate the service with one of the four possible diagnosis codes.

If you give either program the right information it will create your claims properly.

TIP: Backing Up to Flash Drives

Flash drives, those small devices that plug into a USB port on your computer, are fantastic for making offline backups. Even the cheapest of them hold a lot of data and they are inexpensive, small, and easy to store. There is one catch though: Windows doesn't always assign them the same drive letter when you plug them in. That means you have to pay attention to where you are saving your backup files.

When making an offline backup, you first select what to back up, practice or global data. In The THERAPIST Pro, you can do everything at once but you still have to select what to back up. Once you have selected what you are backing up, you then select where to put it. Here is where you have to pay attention. If your flash drive has been assigned the same drive letter as you indicated in your backup options (Setup > Preferences > Backup Options) the correct location should automatically be selected. Otherwise, you can select a different destination. Easy to do but you have to know to do it, and now you do.