From HIPAA Safe Issue 17
To compliment last issue’s ePHI access termination article, we think it beneficial to discuss approaches to granting ePHI access. The first thing a CE or BA must do is implement policies and procedures to ensure that all workforce members have appropriate ePHI
access. This means providing your workforce with intentions, and assigning responsibilities to specific positions to create local processes that provide consistent ePHI access to
those that require such, and to prevent workforce members who do not have access from obtaining such.
Second, formal processes should include how ePHI access is authorized and how this access will be supervised once granted. HIPAA-mature organizations rely on peers and leaders to maintain technical and physical security controls around workstations and
other devices that access ePHI. CE and BA may identify alternate means to satisfy this HIPAA citation, but we do not recommend informal processes except in the case of a very small workforce (e.g. a single provider practice, etc.), where ePHI access is easily
Third, apply processes to determine correct ePHI access. We’ve seen hospital leadership positions (e.g. CEO, CIO, etc.) with full EHR record access and no functional need to access
every patient’s record. Consider pre-employment background checks to ensure new employees were not previously fired for HIPAA violations and that their credentials are in good standing. When possible, only grant access to those patient records associated
with a position or function and have processes in place to grant emergency access
to other records. Some vendors have not yet built these two controls into their product, so ask if these features are present if you are considering a new software ePHI program.
Lastly, ensure all ePHI access policies, procedures and processes consider and do not violate any of the other HIPAA Security Rule citations.