Mike Semel
Semel Consulting
Before you give your employees HIPAA compliant access to patient data you must do some planning. While it would be easy to give everyone access to everything, HIPAA’s requirement for Minimum Necessary access means that you have to put limits on what data employees need to perform their job. The best way to do this is to consider the responsibilities of each employee, and make sure there is a written job description that includes the type of data they can access. It’s your decision, but be prepared to justify it if you are audited or investigated for a data breach.
HIPAA Compliant Authorization and/or Supervision
“Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.”
Authorization works both ways—you want to limit access to data so your workforce cannot get to patient data they don’t need, but you really need to be sure that workforce members who provide patient care are not blocked from critical data that could have serious negative results on a patient’s life or health. Let your caregivers know that accessing records for patients for whom they are not providing care is snooping, which is prohibited and is logged behind the scenes by your EHR system.
HIPAA Compliant Workforce Clearance Procedure
“Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.”
HIPAA compliant access depends on your systems, how you store data, and the roles and responsibilities of your workforce members. Consider how staffing levels can quickly change due to absences and busy times that require personnel to come in unexpectedly or quickly shift from one location to another.
While everyone is anxious to get a new employee productive immediately, it makes sense to slow down the clearance procedure to make sure you don’t miss anything that may result in a high cost data breach. It varies with their role, but make sure that an employee’s background and credentials are verified. Do not give them access to any patient data until they have completed your organization’s HIPAA compliant workforce training. Make sure the appropriate signatures are in place authorizing access before any is given. Attention to detail can give your organization the evidence it may need to protect itself.
Recently I was asked if the person filing patient folders in a medical practice should be prohibited from opening the folders and reading about patient visits and lab reports. I said that it did not seem that the info inside the folder was required for filing, but that the person’s supervisor should make the determination (either way) and document it. If the answer is that the filer should not open the files, if it happens the filer would be breaching the HIPAA Minimum Necessary requirement and the practice’s policies. On the other hand, if the manager believes the filer has a HIPAA compliant need to open the folders and read the patient info, then it should be documented. HIPAA offers flexibility and in a small practice someone may wear many hats and therefore have different access to data than someone with the same role but in a larger organization.
HIPAA Compliant Termination Procedures
“Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) [the Workforce Clearance Procedure] of this section.”
This seems obvious, but it is surprising to show a manager the list of users with access to their computer systems, and hear “That person isn’t here anymore…” over and over.
With so many unsecured wireless networks and weak firewalls in place, it is easy for an unauthorized person with basic computer skills to log in remotely. What if they posted patient information to a public website? What if they were able to change patient’s blood types?
Earlier I suggested slowing down the Workforce Clearance Procedure. Now I suggest speeding up the Termination Process. Don’t require paperwork. Don’t expect an e-mail to be read quickly. A manager should CALL your network or EHR administrator to ask them to IMMEDIATELY terminate access for someone that has left your organization, for whatever reason. Then they can follow up later with paperwork. It should take only a minute to disable access, and the benefit can be huge.
Don’t wait.
Mike Semel is certified in HIPAA and has been the CIO for a hospital (Covered Entity) and has provided IT support for healthcare providers (as a Business Associate.) This article was originally published on 4Medapproved.com/HITSecurity.