Controlling Access to Health Information
Levels of access to protected health information should be tailored to employees’ job responsibilities.
One of most common errors Jen Stone, a security analyst at SecurityMetrics in Orem, Utah, sees when she reviews access control in physician's offices is a lack of connection between policy and procedure. Access control often is viewed as an IT-only job, “but the only way for IT to create access controls is through working with human resources and the business side of the office.” she said.
The need for physicians' offices to actively manage access control was underscored in February when South Florida's Memorial Healthcare System paid a $5.5 million settlement to the US Department of Health and Human Services (HHS). HHS found that a former employee's login credentials were being used daily for an entire year to access patients' personal health information without anyone noticing. Memorial had access control policies in place, but it did not terminate user privileges.
More access than necessary
IS Decisions, an IT security firm based in Bidart, France, surveyed healthcare organizations on user security and compliance and found that more than 80% of users think the data to which they have access is required to do their jobs. Nearly 20% of them, however, said their level of access was greater than they needed. Fewer than half of respondents said they had specific levels of access that restricted the files they could see.
The golden rule when it comes to access control is the principle of least privilege: providing staff with the lowest level of user access they need to do their job. Managers should not make the mistake of just giving blanket access to everyone because they do not want to sort it out. Managers need to create role-based access control, spelling out in a practice's policy and procedures documents the type of access staff members should have based on their job description. Managers then should work with IT to create the appropriate access levels for each employee's login.
On its website, IS Decisions offers some points to consider when determining user access:
- Each staff member should have a unique login; do not allow them to share credentials.
- IT staff should create a way to track actions people take in the system.
- Practices may consider other generic restrictions aside from job duties like location and time. Most staff members should not be accessing the system at night or from home.
After policies and procedures related to access are established, it is important to follow up. If someone had been checking access at Memorial Healthcare, the former employee would not have spent a year pulling data, Stone noted. One way to prevent this is to set up monitors and alerts in the system. If there is suspicious activity, an administrator can be alerted to check it out. For instance, a flag might be created if someone is accessing information from a patient with the same last name (to make sure they are not accessing relatives' data).
Another preventive measure is to ensure that when employees change jobs within an organization, their access should be changed based on their new job's needs. Access should be removed if employees are fired or quit.
IT staff have no way of knowing when employees have changed jobs within an organization or have left the organization, so managers or human resource personnel must remember to tell them and then verify that IT has made the necessary changes to access privileges, Stone said.
Depending on the office's resources and its appetite for risk, Stone recommends checking access on a quarterly basis to ensure everything is as it should be. This task should be performed by a manager or human resource person who knows the rules for moving people around in the system.