Control PHI Access to Avoid Massive HIPAA Penalties

Share: Share on Facebook Share on Twitter Share on LinkedIn

Control PHI Access to Avoid Massive HIPAA Penalties

Share: Share on Facebook Share on Twitter Share on LinkedIn
HIPAA access control policy

Simple mistakes such as not controlling who in your office has access to patient information, can inadvertently result in patient complaints and costly HIPAA access control policy violation penalties.

At the core of the HIPAA access control policy Privacy Rule is the “Minimum Necessary Requirement” which offers guidelines around how and when patient information can be accessed, discussed or shared. It also sets a standard for reasonable protection of patient privacy by limiting the disclosure of protected health information (PHI) to staff members who need it to complete their job.

Ensure PHI Access Remains Compliant HIPAA access control policy

The good news is that unauthorized disclosure of PHI is preventable. Below are six concrete steps that you can implement today to protect your patients’ information and your practice from being penalized for violating the HIPAA access control policy.

Step 1: Create a Master List

First you must identify the specific person or people in your practice who require access your patients’ information to complete their job. If you have a large staff, try creating the list using job titles rather than individual names so that it can continue to be used regardless of staff turnover, promotions, and other staffing changes.

Step 2: Implement a System of Role-Based Access to PHI

In order to develop role-based permissions, you’ll need to organize your master list in tiers based on the minimum level of access you’ve identified for each person to complete their job. Be sure that you can justify each person’s level of access to ensure compliance with the HIPAA access control policy.

For example, if your receptionist only needs a patient’s demographic information (name, date of birth, address, etc.), they should not be allowed to access progress notes with in-depth care information.  On the flip side, the person doing your coding and billing may need detailed progress notes in order to correctly submit your claims and get you paid.

A HIPAA access control policy controls employee access to patient information based on their role. This is important because it allows you to proactively limit PHI access to the required minimum and prevent a HIPAA violation.

Step 3: Separate Employee Logins

Each person in your practice who needs access to patient information should have their own, specific login. You can work with IT to create the various access tiers and grant them to each person’s credentials.

In creating this tiered access, IT should be able to track each user’s actions and set up alerts for suspicious activity (including accessing a record of another staff person or someone with the same last name).

Depending on your practice, you may also want to restrict access outside of working hours so PHI is unavailable to staff when they are not on the job.

It’s imperative that you document every step of your HIPAA access control policy, including the master list, user-based access, tracking and termination procedures in a practice manual that you can have on hand if you ever get audited.

Note: User privileges need to be systematically terminated every time a staff member leaves the job and new login privileges need to be set each time a person transitions to a new role within your practice. It’s your responsibility to develop a system that consistently alerts IT when any of these staffing changes occur and then to follow up to make sure that the credential was terminated or updated.

Step 4: Set Up Regular Internal Audits

Set aside a regular, protected time to audit your own system. This could happen quarterly, or if staffing is in flux due to the pandemic, you may want to do it more frequently.

During your review, you should confirm that your master list is up to date. If you need to make any adjustments to the list, be sure that those get translated to each person’s login so access continues to be the minimum possible based on every role.

It’s critical that you check that all login access has been updated based on turnover, new hires, changes in job descriptions and any other transitions.

Lastly, you’ll need to review any red flags or alerts that you missed since your last audit. For example, let’s say your medical assistant was identified as accessing a celebrity patient’s information. Although her access could be legitimate, you should double-check the reason for the access and document your findings to confirm the HIPAA access control policy is compliant.

Step 5: Train Your Staff

In order to do their part, your staff needs to understand the value of protecting patient health information. If you haven’t done so already, ensure that all of your staff members are trained in:

  • What constitutes PHI
  • When it’s ok to access and use PHI
  • How searching for, accessing or using PHI beyond the minimum needed to complete a job is a HIPAA violation that can incur massive personal and organizational fines
  • How the tiers of access limit PHI for each specific role
  • Why staff members must not share login credentials or passwords with each other

This should be built into the onboarding process for all staff, and you may also want to have short “booster” training sessions annually.  You must document the date and topic of the training, as well as who attended.  You may also want your staff to sign something to say they attended the training for added protection.

To avoid HIPAA access control policy violations and fines, protecting patient privacy has to be an ongoing part of the dialogue at work. Let your staff know that you’re in this together so there is an open line of communication for them to come to you with any observation, question or idea.

Step 6: Keep Yourself Informed

As a practice leader, it’s essential that you’re informed and up to date on current privacy laws and regulations. Start now by joining healthcare attorney and privacy expert, Joseph Lazzarotti, Esq., CIPP, online  90-minute course that covers recent changes in patient information protection rules and explores how these impact your technology, HIPAA policies and clinic workflows.

Subscribe to Healthcare Practice Advisor
Get actionable advice to help improve your practice’s
reimbursement, compliance, and success in this weekly eNewsletter.
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden