HIPAA Compliant Data – Who Can Get to What, and Why
Before you give your employees HIPAA compliant access to patient data you must do some planning. While it would be easy to give everyone access to everything, HIPAA’s requirement for Minimum Necessary access means that you have to put limits on what data employees need to perform their job. The best way to do this is to consider the responsibilities of each employee, and make sure there is a written job description that includes the type of data they can access. It’s your decision, but be prepared to justify it if you are audited or investigated for a data breach.
HIPAA Compliant Authorization and/or Supervision
“Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.”
Authorization works both ways—you want to limit access to data so your workforce cannot get to patient data they don’t need, but you really need to be sure that workforce members who provide patient care are not blocked from critical data that could have serious negative results on a patient’s life or health. Let your caregivers know that accessing records for patients for whom they are not providing care is snooping, which is prohibited and is logged behind the scenes by your EHR system.
HIPAA Compliant Workforce Clearance Procedure
“Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.”
HIPAA compliant access depends on your systems, how you store data, and the roles and responsibilities of your workforce members. Consider how staffing levels can quickly change due to absences and busy times that require personnel to come in unexpectedly or quickly shift from one location to another.
While everyone is anxious to get a new employee productive immediately, it makes sense to slow down the clearance procedure to make sure you don’t miss anything that may result in a high cost data breach. It varies with their role, but make sure that an employee’s background and credentials are verified. Do not give them access to any patient data until they have completed your organization’s HIPAA compliant workforce training. Make sure the appropriate signatures are in place authorizing access before any is given. Attention to detail can give your organization the evidence it may need to protect itself.
Recently I was asked if the person filing patient folders in a medical practice should be prohibited from opening the folders and reading about patient visits and lab reports. I said that it did not seem that the info inside the folder was required for filing, but that the person’s supervisor should make the determination (either way) and document it. If the answer is that the filer should not open the files, if it happens the filer would be breaching the HIPAA Minimum Necessary requirement and the practice’s policies. On the other hand, if the manager believes the filer has a HIPAA compliant need to open the folders and read the patient info, then it should be documented. HIPAA offers flexibility and in a small practice someone may wear many hats and therefore have different access to data than someone with the same role but in a larger organization.
HIPAA Compliant Termination Procedures
“Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) [the Workforce Clearance Procedure] of this section.”
This seems obvious, but it is surprising to show a manager the list of users with access to their computer systems, and hear “That person isn’t here anymore…” over and over.
With so many unsecured wireless networks and weak firewalls in place, it is easy for an unauthorized person with basic computer skills to log in remotely. What if they posted patient information to a public website? What if they were able to change patient’s blood types?
Earlier I suggested slowing down the Workforce Clearance Procedure. Now I suggest speeding up the Termination Process. Don’t require paperwork. Don’t expect an e-mail to be read quickly. A manager should CALL your network or EHR administrator to ask them to IMMEDIATELY terminate access for someone that has left your organization, for whatever reason. Then they can follow up later with paperwork. It should take only a minute to disable access, and the benefit can be huge.
Read the first article in this series: HIPAA Risk Analysis and Your Critical Starting Point
Read the second article in this series: HIPAA Security Rule – Wrong Way, Go Back!
Meet Your HIPAA Training Needs Today! Explore our 4MedTraining HIPAA Education Programs.
The 4Medtraining approach offers high-quality online, self-paced training. Avoid the expense and scheduling inconvenience of sending personnel to a boot camp or monitoring through internal paper-based lessons. Track completion online! Receive validated credentials for each employee! EARN CEU’s! Learn more.
Understand What Constitutes HIPAA Compliant E-mail
Every day I get questions about HIPAA compliant e-mail, and many days I see or hear something that leads healthcare organizations and their business associates in the wrong direction.
These Myths and Facts can help you make the right e-mail decisions. I have included links to give you more details and so you can see the official information yourself.
MYTH – All e-mail systems are HIPAA compliant.
FACT— FALSE. Free web mail services like Gmail, Yahoo! Mail, Hotmail, and those provided by an Internet Service Provider are not secure and no electronic Protected Health Information (ePHI) should be sent through these systems, either in messages or attachments. In 2012, an Arizona medical practice paid a $ 100,000 penalty for sending mail from an Internet-based e-mail account. They also used a publicly-accessible online calendar for patient scheduling.
There are HIPAA compliant e-mail systems that use secure mail servers, and solutions that allow you to encrypt messages you can send to anyone. Some Cloud-based solutions are secure and the providers will sign Business Associate Agreements which makes your relationship HIPAA compliant.
If your practice is using a web mail service to send patient information, STOP NOW, because every message you send is a data breach. To get the right solution talk to a certified IT professional who understands HIPAA. Check out the 4Med Pro Network if you want one that specializes in healthcare.
MYTH— Any e-mail message containing patient data must be encrypted.
FACT – FALSE. E-mail sent desk-to-desk within your organization using a secure server on a secure network does not have to be encrypted. E-mail going to a remote office on your wide area network should be protected by encryption used to set up the secure ‘tunnels’ through the Internet between locations. You can also use dedicated secure circuits that do not go through the Internet. Never send unencrypted e-mail containing patient information to a doctor, any member of your workforce, or a Business Associate at their personal or business address outside of your network.
MYTH— I cannot send a patient their medical information if they use a free web mail service.
FACT – FALSE. You can, based on recent guidance from the US Department of Health & Human Services. As long as you are using a secure e-mail system on your end, the HIPAA Omnibus Rule released in January says that if a patient asks you to send them information at a Gmail, Yahoo! Mail, Hotmail (or similar) account, you should inform them that their system is not secure and ask if they still want the information sent to them. If they say yes, it is HIPAA compliant to do this. Be sure you document your conversation and their approval.
FROM THE HIPAA OMNIBUS FINAL RULE (page 5634) — We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email… If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.
MYTH— I only have to worry about written e-mails and documents.
FACT. FALSE. In today’s world many types of information link to e-mail systems. You can scan documents and send them from your copier to an e-mail address. Faxes are converted from paper to e-mails. Dictation and telephone voice messages are converted into e-mails. HIPAA protects any electronic file containing ePHI—written, image (like a scanned image, fax, x-ray, or MRI) or voice, and these should be encrypted before sending outside your organization.
MYTH— All e-mail that is at rest (stored on a computer) must be encrypted.
Be warned that if you lose a device containing unencrypted ePHI, it is reportable and you can pay a hefty fine, like Massachusetts Eye & Ear Infirmary did in 2012. If a device containing ePHI is encrypted and is lost, you don’t have to report it.
Don’t think that the only computers that are stolen are laptops and portable devices. The HIPAA ‘Wall of Shame’ listing data breaches has a number of servers listed that were stolen from offices. If you really want to protect the data and protect your organization from fines and embarrassment, every device you own that stores patient data should be encrypted, even though it is not required.