Does each workforce member in your medical office have the necessary security rights to access your electronic systems and perform their specific duties? Defining these rights or “access controls” is part of compliance with HIPAA Security Rule regulations.
The HIPAA Security Rule Technical Safeguards address the security measure Standard of Access Control. The Security Rule defines “access” in relation to Technical Safeguards as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.” In general, access controls provide users with “rights and/or privileges to access and perform functions using information systems, applications, programs, or files.” When functioning correctly, these controls enable authorized users to access the minimum necessary information needed for job performance. Under the Access Control Standard, a covered entity (CE) is required to “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights” defined in Security Rule Administrative Safeguards.
There are many access and technical control methods in various information systems. There is no Security Rule identification of a specific type of access control method or technology that must be implemented. Whatever technology or information systems are being used, the access controls should always be appropriate for the role of the medical workforce member.
The Access Control Standard has four implementation specifications:
- Unique User Identification (required specification)
- Emergency Access Procedures (required specification)
- Automatic Logoff (addressable specification)
- Encryption and Decryption (addressable specification)
This series of articles will discuss each of these specifications beginning with Part 1: Unique User Identification.
The Unique User Identification required specification requires a CE to “assign a unique name and/or number for identifying and tracking user identity.” The assigning of a name or number should not be confused with the development and use of passwords. A unique name or number is a way to identify a specific user of an information system, such as an EHR system. Having the unique identifier allows tracking of specific user activity when the user is logged into the system. HIPAA regulations require workforce members to have access only to protected health information (PHI) related to their job functions. Identifiers allow an entity, such as a CE, to hold users accountable for the functions they perform while carrying out actions within the information system. Such information is, in part, recorded within computer systems by background system metadata. The metadata provides an audit trail of user activities within the information system that is highly useful, e.g., in malpractice defense.
The Access Control Standard does not describe or provide a single format for user identification. The format can be chosen by the CE. That strategy of identification should be based on the nature of the practice workforce, i.e., size and work requirements. Some method considerations are:
- Use of the employee’s name
- A variation of the employee’s name, e.g., John Smith as “jsmith”
- Assignment of a random set of numbers
- Assignment of a random set of characters
Random identifiers are more difficult for unauthorized users, such as criminal hackers, to guess but pose more difficulty for authorized users to remember. In this respect, the decision of identifier type is similar to the construction of passwords. As with passwords, no one other than the user and CE should know the identifier or provide the identifier to others.
In being compliant with this access control specification the following actions are advisable:
- Review current policies on unique identifier
- Have specific policies on construction and use of identifiers
- Ensure consistency with practice policies, that all workforce members accessing information systems have identifiers
- Ensure that whatever type of identifiers are being used will allow tracking within related information systems, e.g., EHRs
In Part 2 of this series, I will discuss the required specification of Emergency Access Procedures.
For further cybersecurity information on this subject and many others, LAMMICO offers policyholders complimentary access to the TMHCC CyberNET®, an advanced cyber risk management resource and education center. Log in as a Member to access the TMHCC CyberNET® portal. Provided in partnership with cyber risk experts, Tokio Marine HCC, this excellent resource is continually updated and well worth the time to review.
