Avoid Inappropriate Access: Abide by the HIPAA Security Rule

How much access to a patient’s electronic Protected Health Information (ePHI) does your receptionist need? How much access to a patient’s ePHI does your head nurse need?

Is it the same amount of access?

The HIPAA Security Rule addresses this when it talks about availability. It says that a covered entity shall:

Implement policies and procedures to ensure that all members of its workforce have appropriate access to ePHI as provided under the Information Access Management standard and to prevent those workforce members who do not have access under the Information Access Management standard form obtaining access to ePHI.

So it is left to you to determine what appropriate access is for the members of your workforce and how that access is granted to them. To boil it down to three simple steps, you as a covered entity need to identify the level of access needed, implement that level of access, and document how you determined the level of access.

  1. Identify the level of access. An examination of job descriptions would be the place to begin in determining what level of access is needed to ePHI. The job description should point out in great detail the essential duties of the teammate. It would therefore give a good indication of what ePHI is needed to do the job. You as the employer obviously want to make sure your employee has the information needed to get the job done, but the second half of this section of the Security Rule makes it clear you should not give more access than needed.

    Another factor in determining who has access to ePHI is to consider who has access to non-electric PHI or paper records. The person with access to PHI as part of their job may very well also need access to ePHI.
  2. Implement the level of access. Once you have determined what the requisite level of access to ePHI is for a teammate, you need to make sure to get them the minimum essential access to ePHI. Perhaps as part of this process an occasional audit of policies and procedures would ensure compliance with determined access to ePHI

    Establishing procedure for removing access to ePHI is necessary should a teammate’s required level of access change or in the event of an employee’s termination. Especially in the event of termination a covered entity should move quickly to ensure there is no breach of ePHI.
  3. Document how you determined the level of access. If you don’t have your HIPAA policies and procedures documented, you cannot prove you have policies and procedures in place. Documentation of the process you went through in determining what level of access to ePHI your teammates have is a critical step for you toward compliance. It doesn’t mean you will be compliant if you have things documented, but you will not be compliant if you don’t have policies and procedures documented.

Whether you are just beginning the journey toward HIPAA compliance or well into the journey, ensuring the appropriate access to ePHI for your team is an important, and often neglected, phase which must be visited regularly. Regular checks on who needs access to what levels of ePHI safeguards the client information and assures your team has the information they need to get their work done.

If you have questions about determining the level of access needed to ePHI don’t hesitate to call our HIPAA professionals at MapleTronics. We will be happy to assist you with the process and think through the tough questions you need to ask in order to continue your journey toward HIPAA compliance.

Do you want to learn more? Check out our next webinar that covers this topic of HIPAA Information Availability and Integrity.

"The Two Legs of Security Rule Compliance You May Be Missing"

Conversation