By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Who can be on a healthcare organization’s system and who can access patient information? HIPAA establishes very clear guidelines and expectations on that front. The baseline expectation is that only individuals who are actually part of an organization’s workforce can access information and then only to the extent connected to the individual’s role and responsibilities.
When an individual leaves an organization’s workforce, then all access should be shut off to avoid a continued ability to obtain patient information. Again, HIPAA regulations contained in the Security Rule are clear on these points.
HIPAA Settlement
What happens when these processes are either not in place or not followed? In the case of the City of New Haven (CT) Health Department, (NHHD), a $202,400 settlement with the Office for Civil Rights. The NHHD settlement represents the first time that OCR has resolved a breach arising from failure to close a former employee’s account. Despite being the first settlement of this nature, the settlement offers important lessons.
Before getting to the lessons, it is helpful to lay out the factual background that lead to NHHD’s settlement. As explained in the Resolution Agreement, NHHD notified OCR of a breach impacting 498 individuals. The breach resulted from a former employee returning to NHHD’s office about a week after being terminated. The former employee along with a union representative, but without supervision from a current NHHD employee, went into their former office and locked the door. While in the locked office, the former employee utilized their login credentials, which were still active, and downloaded information from the computer onto a USB drive.
OCR also stated that an intern was permitted to use the former employee’s login information, but did not include that fact in the Resolution Agreement. The omission in the Resolution Agreement is a bit curious since sharing of logins and passwords is clearly not permissible under the Security Rule regulations.
As often happens following the report of a breach, OCR investigated. Unsurprisingly, OCR determined that NHHD did not adequately implement privacy policies and did not conduct the required risk analysis. At this point in time, if an OCR settlement did not find that the settling party had conducted a risk analysis it would be shocking. Additionally, OCR faulted NHHD for not implementing appropriate information access termination procedures or assigning unique usernames and passwords. The two specific issues were stated as occurring over a four year period.
Lessons To Take Away
Access Termination
Know who is part of an organization’s workforce and set out clear processes for taking immediate action when a separation occurs. As noted by OCR, the termination of an individual from an organization’s workforce should really result in cutting off their access to the organization’s systems at the same time.
What does that mean in practice? From a practical perspective, it means ensuring that all appropriate individuals internally are informed as to pending actions and given a clear timeline as to when responses should occur. For example, coordination between human resources and information technology can enable a procedure of disabling a username at the time the individual is informed of a separation. The coordinated action can short circuit any ability of the terminated individual to continue accessing the system for even one minute following termination. Even a short access immediately following termination would be a technical breach because the individual is no longer a part of the organization’s workforce.
The NHHD settlement presents one wrinkle on the termination of access issue. The settlement does not provide an explanation, but implies that the terminated individual demanded or had some justifiable reason to access their computer following termination. If that is necessary, the individual should not be allowed unsupervised access to the computer, or in most likely any access. If the individual claims a need to obtain information from the computer, the organization still subject to HIPAA may consider handling the request internally and providing the requested files. Any permitted access to the system where patient information is housed runs the risk of a breach.
Unique Access
The second primary lesson fro the NHHD settlement is to ensure that only one person uses each username and password combination to access an organization’s systems. Leaving aside the fact that the HIPAA Security Rule calls for that result, allowing shared usernames and passwords creates a confused jumble of access logs and inhibits an ability to accurately audit what is happening within a system.
While it can be tempting to share a username and password, especially when an individual may only be with an organization for a short period of time (thinking the intern in the NHHD scenario), the short duration does not justify the sharing. The risks associated with shared usernames and passwords are too great. As noted in the applicable Security Rule regulation, the purpose of the unique username is to enable identification of users and tracking of activity. For example, if two users share the same access information, one could engage in malicious conduct that ends up being associated with the other, which conduct would likely result in negative consequences. An organization wants to know that the right person is identified and subjected to appropriate action to mitigate the likelihood of the person doing the same thing again.
What Next?
All organizations should evaluate operations to vet compliance with all aspects of the HIPAA Privacy Rules and Security Rules. In particular, easy to follow elements should be audited. Any instances of non-compliance should then be addressed, which may mean updating policies and probably conducting more training or education. Each settlement from OCR provides important information on different areas of the regulations under HIPAA and no opportunity for improvement should be missed.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.