Written by: Joanne Byron, BS, LPN, CCA, CHA, CHCO, CHBS, CHCM, CIFHA, CMDP, COCAS, CORCM, OHCC, ICDCT-CM/PCS
This article addresses the importance of Electronic Health Record (EHR) security to help health care organizations, health plans, clearinghouses (Covered Entities) and their business associates avoid HIPAA violations under the Security Rule Standard § 164.312(a)(1). To obtain more information about mitigating the risk of a HIPAA violation, please consult with legal counsel or a HIPAA Security Consultant.
What If . . .
What would happen if you shared your login and password to your online bank account? How about sharing the password to access your credit cards? How would you feel if you knew your doctor shared his/her password to your personal medical records with an unauthorized user? What if someone in medical billing shared his/her password to your account (containing your medical and financial identity) with someone not authorized to access your information?
What If EHR Passwords Are Shared . . .
Electronic health records (EHRs) incorporate a vast amount of patient information and diagnostic data, most of which is considered protected health information. With the advancement of technology, the emergence of advanced cyber threats has escalated, which hinders the privacy and security of health information systems such as EHRs.
As defined by the Center of Medicare and Medicaid Services (CMS), “An electronic health record (EHR) is an electronic version of a patient’s medical history, that is maintained by the provider over time, and may include all of the key administrative clinical data relevant to that person’s care under a particular provider, including demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports.”
Because this protected information and data can easily get into the wrong hands, individuals should not share passwords with anyone.
Is This Really a Problem? Doesn’t Everyone Share Passwords?
Due to the sensitive nature of the information stored within EHRs, several security safeguards have been introduced through the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Prevalence of Sharing Access Credentials in Electronic Medical Records
To summarize an abstract published by PMC (Public Med Central) of the U.S. National Institutes of Health’s National Library of Medicine, it was found that to prevent data leakage, many countries have created regulations regarding medical data accessibility. These regulations require a unique user ID for each medical staff member, and this must be protected by a password, which should be kept undisclosed by all means. A survey was conducted with the following results:
- A total of 299 surveys were gathered.
- The responses showed that 220 (73.6%) participants reported that they had obtained the password of another medical staff member.
- Only 171 (57.2%) estimated how many times it happened, with an average estimation of 4.75 episodes. All the residents that took part in the study (45, 15%) had obtained the password of another medical staff member, while 57.5% (38/66) of nurses reported this.
Their conclusion from this study: the use of passwords is doomed because medical staff members share their passwords with one another. Strict regulations requiring each staff member to have a unique user ID might lead to password sharing and to a decrease in data safety. Click Here to access the full study.
Remember to Comply With the 3 Pillars of Securing ePHI
The three pillars to securing protected health information outlined by HIPAA are administrative safeguards, physical safeguards, and technical safeguards. These three pillars are also known as the three security safeguard themes for healthcare. These themes range from techniques regarding the location of computers to the usage of firewall software to protect health information. A brief list of the HIPAA Security Safeguards:
- Access control (technical safeguard) is a technique that prevents or limits access to an electronic resource. The intent behind access control techniques is to limit access to only authorized parties. The healthcare facility collects, stores, and secures patients’ data, which is very sensitive. This safeguard can take the form of role-based access control, attribute-based access control, and identity-based access control. Role-based refers to a person’s role in the healthcare facility. For instance, when a provider begins working at a healthcare facility, he/she has access to patient data, but only the patient data for his/her patients. If this provider also serves on a certain committee in the hospital, then another set of privileges is created to enable access to committee resources. When other data is accessed, a log is created that is periodically audited. When a front-desk clerk begins working in a facility, he/she has no reason to access clinical data, but may need access to the administrative data such as address and phone number, depending on the role that the person plays in the organization. Other names for this are media controls, entity authentication, encryption, firewall, audit trails, virus checking, and packet filtering.
- Physical access control (physical safeguard) is a technique that prevents or limits physical access to resources. The intent of this control is similar to the technical safeguard: It limits access to only authorized parties. A patient in a facility will not have access to any clinic or ward except the one he/she is seen in. A front-desk clerk in the optometry clinic will not typically need access to the emergency room, so his/her access card will not open those doors. A provider in a facility will not typically need access to the server room, so his/her access card will not unlock those doors. Other names for this are physical security, (some) workstation security, assigned security responsibility, media controls (access cards), and physical access control.
- Administrative safeguards are techniques that are not entirely technical or physical, but may contain a piece of each. These safeguards typically take the form of policies, practices, and procedures in the facility to regularly check for vulnerabilities and continually improve the security posture of the organization. Other names for this control are risk analysis and management, system security evaluation, personnel chosen for certain roles, contingency, business continuity, and disaster recovery planning.
When Someone Shares a Password – It Is a HIPAA Violation Under the HIPAA Security Rule – Technical Safeguard Related to Access Controls.
The Security Rule defines access in § 164.304 as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to “access” as used in this subpart, not as used in subpart E of this part [the HIPAA Privacy Rule]).” Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of § 164.308(a)(4), the Information Access Management standard under the Administrative Safeguards section of the Rule.
Unique User Identification Requirement - § 164.312(a)(2)(i)
The Unique User Identification implementation specification states that a covered entity must: “Assign a unique name and/or number for identifying and tracking user identity.”
User identification is a way to identify a specific user of an information system, typically by name and/or number. A unique user identifier allows an entity to track specific user activity when that user is logged into an information system. It enables an entity to hold users accountable for functions performed on information systems with ePHI when logged into those systems using audit trails (addressed toward the end of this article).
Regardless of the technology or information system used, access controls should be appropriate for the role and/or function of the workforce member. For example, even workforce members responsible for monitoring and administering information systems with electronic protected health information or ePHI, such as administrators or super users, must only have access to ePHI as appropriate for their role and/or job function.
Sample questions for covered entities to consider:
- Does each workforce member have a unique user identifier?
- What is the current format used for unique user identification?
- Can the unique user identifier be used to track user activity within information systems that contain ePHI?
So, What Can Happen If We Have Insufficient ePHI Access Controls?
Violating HIPAA law 104-191 can be costly. The HIPAA Security Rule requires covered entities and their business associates to limit access to ePHI to authorized individuals. The failure to implement appropriate ePHI access controls is also one of the most common HIPAA violations and one that has caused financial penalties.
Financial penalties issued to covered entities for ePHI access control failures include:
Anthem Inc. – $16,000,000 penalty for access control failures and other serious HIPAA violations
OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations
OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations
University of California Los Angeles Health System – $865,500 penalty for the failure to restrict access to medical records
Colorado Medical Center – $111,400 penalty for the failure to terminate access to ePHI after an employee termination and a lack of a business associate agreement
Controlling Access to ePHI: For Whose Eyes Only?
The government HIPAA privacy/security enforcement agency is the Office for Civil Rights (OCR). OCR published the Summer 2021 Cybersecurity Newsletter on July 14, 2021, which states:
The rise in data breaches due to hacking as well as threats to ePHI by malicious insiders highlight the importance of establishing and implementing appropriate policies and procedures regarding these Security Rule requirements. Ensuring that workforce members are only authorized to access the ePHI necessary and that technical controls are in place to restrict access to ePHI can help limit potential unauthorized access to ePHI for both threats.
A recent report of security incidents and data breaches found that 61% of analyzed data breaches in the healthcare sector were perpetrated by external threat actors and 39% by insiders.
Without appropriate authorization policies and procedures and access controls, hackers, workforce members, or anyone with an Internet connection may have impermissible access to the health data, including protected health information (PHI), that HIPAA regulated entities hold. News stories and OCR investigations abound of hackers infiltrating information systems, workforce members impermissibly accessing patients’ health information, and electronic PHI (ePHI) being left on unsecured servers.
Information Access Management and Access Control are two HIPAA Security Rule standards that govern access to ePHI.
Download this newsletter:
Monitor Audit Trails
Audit trails automatically register and record where, when and who accessed the system. They also record what users do when they access the system. This tracks every change in patients’ information and documents it.
Since all the data is logged in the EHR system, it enables users to review the data at regular intervals and flag activities that seem suspicious. Regular reviews can also help correct mistakes caused by human error that could be flagged as a HIPAA violation. An audit trail answers the following:
- Which patients’ data was accessed?
- What time was it accessed?
- Who retrieved the data?
- Where was the data accessed from?
EHR software can also be set to send notifications to patients when their information is accessed. This way patients can report breaches as soon as they happen.
Conclusion
Create strong policies and procedures, then communicate these rules to your workforce. Enforce compliance through auditing and monitoring. Explain that when an individual allows another to use his/her password to access ePHI, that individual can alter and perform unauthorized functions and not be held accountable. The audit trail points back to the person who is assigned that password.
Conduct on-going training of your workforce, which needs to include your C-Suite executives (who are not exempt from the rules). To gain the BEST results, conduct additional quarterly training with your front-line managers and supervisors. Give them tools to incorporate HIPAA training at EVERY department meeting. If you think annual HIPAA training is sufficient, then you simply are not doing enough to protect your patient’s ePHI.
Additional Resources
Weekly HIPAA Podcasts (free) at:
OCR “The Security Rule” on the HHS website:
HIPAA Security Basics – a short course
Cybercrime, HIPAA & Healthcare Webinar – On Demand:
Train Online in HIPAA Privacy & Security: