7. Control Access to Protected Health Information
To minimize the risk to electronic health information when effectively setting up EHR systems, Tip 8 discusses the importance of passwords. The password, however, is only half of what makes up a computer user’s credentials. The other half is the user’s identity, or user name. In most computer systems, these credentials (user name and password) are used as part of an access control system in which users are assigned certain rights to access the data within. This access control system might be part of an operating system (e.g., Windows) or built into a particular application (e.g., an e-prescribing module); often both are true. In any case, configure your EHR implementation to grant electronic health information access only to people with a “need to know.”
For many situations in small practices, setting file access permissions may be done manually, using an access control list. This can only be done by someone with authorized rights to the system. Prior to setting these permissions, it is important to identify which files should be accessible to which staff members.
Additional access controls that may be configured include role-based access control, in which a staff member’s role within the practice (e.g., physician, nurse, billing specialist) determines what information may be accessed. In this case, care must be taken to assign staff to the correct roles and then to set the access permissions for each role correctly with respect to the need to know. The combination of regulations and the varieties of access control possibilities make this one of the more complex processes involved in setting up an EHR system in the small practice.
What if electronic health information is accessed without permission?
Under certain circumstances, such an incident is considered a breach that has to be reported to HHS (and/or a state agency if there is such a requirement in the state’s law). Having good access controls and knowledge of who has viewed or used information (i.e., access logs) can help to prevent or detect these data breaches.
Access Control Checklist
Policies are in place prescribing access controls. For example, when an employee quits, his/her user account is disabled immediately.
Every user account can be positively tied to a currently authorized individual.
Users are only authorized to access the information they need to perform their duties.
All files have been set to restrict access only to authorized individuals.
All staff members understand and agree to abide by access control policies.
Computers running health care-related systems are not available for other purposes.