Access to ePHI Security

From HIPAA Safe Issue 17

To compliment last issue’s ePHI access termination article, we think it beneficial to discuss approaches to granting ePHI access. The first thing a CE or BA must do is implement policies and procedures to ensure that all workforce members have appropriate ePHI

access. This means providing your workforce with intentions, and assigning responsibilities to specific positions to create local processes that provide consistent ePHI access to

those that require such, and to prevent workforce members who do not have access from obtaining such.

Second, formal processes should include how ePHI access is authorized and how this access will be supervised once granted. HIPAA-mature organizations rely on peers and leaders to maintain technical and physical security controls around workstations and

other devices that access ePHI. CE and BA may identify alternate means to satisfy this HIPAA citation, but we do not recommend informal processes except in the case of a very small workforce (e.g. a single provider practice, etc.), where ePHI access is easily

managed.

Third, apply processes to determine correct ePHI access. We’ve seen hospital leadership positions (e.g. CEO, CIO, etc.) with full EHR record access and no functional need to access

every patient’s record. Consider pre-employment background checks to ensure new employees were not previously fired for HIPAA violations and that their credentials are in good standing. When possible, only grant access to those patient records associated

with a position or function and have processes in place to grant emergency access

to other records. Some vendors have not yet built these two controls into their product, so ask if these features are present if you are considering a new software ePHI program.

Lastly, ensure all ePHI access policies, procedures and processes consider and do not violate any of the other HIPAA Security Rule citations.