Today, staffs in medical offices have access to a number of systems that may be used for the access and management of Protected Health Information. There may be a patient management system that may or may not be integrated with an EHR, an e-mail system, access to file systems, access to government sites and health insurer sites, and access to other agencies’ and facilities’ systems. When a staff member starts, access may be set up for a few, obvious systems, such as e-mail, files, and the EHR, but access can grow over time and access to outside Web sites provided by others is necessary in many disciplines. After a while, a staff member may have access to far more than the e-mail, some files, and the EHR.
What happens when that staff member leaves the organization? Today there are usually processes for turning off access within the organization for departing staff, but often the access to outside sites is forgotten about, and may be left open. Depending on the system, staff may be able to access Protected Health Information even after they no longer work in your office, leading to privacy and security issues and breaches.
Terminating staff access is no longer a simple process; it requires a coordinated effort between managers, staff, and HR to ensure that all access that should be terminated is, indeed, properly terminated. Mishandling staff access can lead to privacy violations, enforcement investigations, and financial penalties. The time to get your access control procedures under control is now.
HIPAA regulations require that organizations have strict controls on access to electronic Protected Health Information to ensure that only authorized persons have access, and to ensure that access is terminated when no longer needed. The HIPAA Security Rule has Physical, Technical, and Administrative safeguard requirements that call for having the technology and processes in place to properly establish access and maintain it.
HR processes usually initiate and document the initial provision of access to systems within the office, such as networks, e-mail, servers, and the EHR. These systems are also the easiest to terminate access to, since they are controlled by the organization, and in general, a reverse process can be used for disabling access for termination.
Other entities may maintain other systems, such as state Web sites for Medicaid, or insurer Web sites, that your staff needs to access. Often, access for these sites is arranged by the manager or program director of the staff person, but there may not be a good process for making sure this access is turned off upon a termination of employment. Depending on the system, access might still be possible from another workstation if the ID and password for the terminated staff are not blocked.
These external services, and other internal services that may not be managed centrally within your organization, are at risk for access being left open if a plan is not developed for managing that access.
The enabling of access must be tracked in a database (or similar tool) so that it is possible to always know who has access to which sites, and which sites need to be contacted to terminate access upon a staff termination. The use of this tool must be integrated into the actions of managers and HR alike so that they can work together to make sure unnecessary access is disabled, and privacy and security violations are avoided.
Overall, access management and HR processes need to move into the 21st Century, so that access management methods are relevant and effective as security tools in the modern age of communication.
At the conclusion of the session, participants will be able to:
- Understand the rules surrounding access controls and their management under HIPAA.
- Know what are ways that access management controls can be improved to ensure access for terminated staff is properly terminated.
- Learn how staff, managers, HR, and IT can work together to improve access controls and the privacy of patient information.
- Know how to establish an improved access control process that can help prevent privacy and security issues.
Areas Covered In The Session:
- HIPAA requirements for access controls and management.
- HIPAA requirements for properly managing termination of access and conducting regular reviews to ensure access is terminated.
- Find out how the usual internal HR and IT processes may (or may not) work well for some systems, but some systems may be beyond their knowledge or control.
- How access can be utilized following a staff termination to damage or illegally access records.
- Find out about processes that can be instituted to track and manage accesses that are not directly controlled by IT.
- HIPAA enforcement penalties that can apply in the event of a breach of Protected Health Information.
- Compliance Director
- Privacy Officer
- Security Officer
- Information Systems Manager
- HIPAA Officer
- Chief Information Officer
- Health Information Manager
- Healthcare Counsel/lawyer
- Office Manager
- Contracts Manager
About Our Speaker:
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities. He is a frequent speaker regarding HIPAA, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference. Sheldon-Dean has more than 18 years of experience specializing in HIPAA compliance, more than 36 years of experience in policy analysis and implementation, business process analysis, information systems and software development, and eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.
Our Speaker’s Previous Webinar Snippet: