Many small practices struggle with password security. The provider shares his login credentials with staff to make it easier for him to pull records from hospital stays in preparation for a clinic visit as well as so Medical Assistants can have the exam room computer on and ready for him when he walks in or so the nurse can chart for him. With how busy physicians are, these seem to be reasonable shortcuts to make his workflow more manageable. The problem is these practices are leaving the physician and the practice vulnerable to some pretty hefty fines.
HIPAA requires covered entities and business associates with access to electronic Protected Health Information (ePHI) to implement a few safeguards to protect unauthorized access to patient information:
Password Management: Procedures for creating, changing, and safeguarding passwords. §164.308(a)(5)(ii)(D)
Unique User ID: Assign a unique name and/or number for identifying and tracking user identity. §164.312(a)(2)(i)
Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. §164.312(c)(1)
Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. §164.312(d)
Beyond the privacy reasons, it is important to protect passwords in order to secure the integrity of the ePHI. A rogue, or even well-intentioned, employee can change a patient’s chart causing great harm to the patient. Your HIPAA Tip on sharing passwords, is simply don’t.
If you have any questions on how to meet these requirements, contact us!