Every covered entity and business associate, whether large or small, struggles with prompt termination of user access. Whether it be interns, temporary or permanent employees it is a common struggle to have HR communicate with IT that someone has left the organization or no longer need access to PHI. This poses a high risk by having individuals who may no longer be with the organization still having access to PHI; some of whom may be disgruntled. Here are a few tips to help mitigate the risk.
Establish a consistent process for which IT is notified by HR when anyone leaves the organizations or changes job functions to no longer need access to PHI. HR likely has a process it goes through when an employee leaves. Work to include communicating to IT who is leaving and when. Often times this can be done simply by submitting a ticket to whomever provisions access to systems with PHI.
For temporary users (i.e. interns, volunteers, students, auditors, temporary staff), have HR provide you with a date when the user will be leaving. If they don’t know the exact date, have them provide a “safe” date in which the user will no longer need access. While not ideal, it will reduce the risk of having access for terminated users for an extended amount of time.
Review access logs periodically to purge users who are no longer with the organization or have not logged in for an extended period of time (i.e. 3 months). This can be a significant amount of data to review for larger organizations with many users, therefore a log review schedule should be implemented (i.e. once a month) to remove inactive users.
The most effective method is working closely with HR to know immediately when users leave. However, reviewing logs and establishing access termination dates can also help in mitigating the overall risk.
Far too often HIPAA is used as a barrier for appropriate PHI sharing. However, when a patient wants to create a barrier to sharing in the form of a restricted communication, it must be followed. A patient might request a restriction for any number of reasons. Often it is in response to a threatening family member or a sensitive diagnosis. Regardless of the reason, covered entities must have a process for implementing the restriction across the entire organization.
A patient may tell a nurse practitioner to not send mail to their house, or only contact them at a specific telephone number. The act of telling that one staff member is tantamount to telling everyone within the organization, therefore everyone who may send communications to the patient needs to be made aware. Often this is done through a note in the EHR, or some type of flag in the patient’s record. If they do not want to be contacted at a certain phone number or e-mail address, that information can simply be removed. If you know you have to follow up by some method of communication after the visit, it might be a good habit to simply ask the patient if it is okay to contact them at a certain number, or if they have a preferred contact method.
Implementing a patient’s request for restricted communication is a simple HIPAA requirement to implement, which can promote patient safety and increase trust in the care you provide.
Everyone within your organization has at least one role. Access to Protected Health Information (“PHI”) may be required for each role, but all roles might not require the same level of access. A great way to ensure staff are only accessing the minimum amount of PHI necessary to do their job, and thus satisfying the minimum necessary rule, is by implementing role based access control.
In order to establish a practice of role based access control, you will first make a list of all roles within your organization. Then, assign a minimum amount of access to PHI to each role. The list of roles, and thus the associated access, should extend beyond just those people within your organization. It should also include contractors, reviewers, IT staff, and the like. Most EHR systems will make this process rather easy, and allow you to define roles and assign corresponding access.
At the same time you are implementing this safeguard, you will also want to document it with an applicable policy and a procedure. These documents will verify how you limit PHI access to the minimum amount necessary, and will help ensure this process continues amid staff turnover and organizational maturity. Finally, you also want to implement a system of periodic audits to ensure the roles and assigned access are still adequate and that users have been assigned to the appropriate role. This simple check can help you identify necessary updates to your process and identify mistakes before they turn into vulnerabilities.