As healthcare becomes much more technologically advanced, it’s important for organizations to know who charted, filed a document, or even accessed a patient’s medical record.  But with so many disparate systems that can’t use a single log on, how do healthcare practices comply with unique credentials for users without causing undue work for practice or system administrators?

The Security Rule requirement

First, it’s important to understand what the law requires.  The HIPAA Security Rule requires the technical safeguard standard of access control.  In 45 CFR § 164.312,  access control is explained as “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to all access only to those persons or software systems that have been granted access rights” as appropriate.  Furthermore, the standard provides implementation specifications including a required element of “unique user identification” for identifying and tracking the user, if needed.

While the rule provides the access control requirement, it leaves room for how to implement the standard as long as the user can be identified for auditing purposes.  At no point do the regulations restrict the tools by which a unique identifier is assigned or monitored. This means organizations are not required to assign unique credentials using the Electronic Health Record (EHR) system.  While the EHR may be the most popular tool to track unique credentials, healthcare organizations can ultimately use a variety of systems at their disposal to appropriate track unique user access.

While the HIPAA Security Rule leaves ample room for healthcare organizations to manage their system access, it does include requirements that can be cumbersome and tedious for the average administrator to manage. An alternative is to work with a business associate who specializes in compliant release of information so you can ensure your records workflows are handled efficiently and according to compliance best practices.

How can I handle user access for business associates?

Many healthcare organizations utilize expert partners to help with a variety of office needs.  These business associates come with their own experienced staff, many of whom could help with your account at various times based on need.  When you don’t employ the staff, what and how are you responsible for their unique access?

When you sign a business associate agreement, you are creating a partnership with another organization, but the business associate maintains their own responsibility and liability for complying with the HIPAA Security Rule.  The standards that apply to you as a covered entity in the Security Rule also apply to your business associate partner.  Many business associates utilize robust tracking software for assignment of credentials with their staff, especially when working with various healthcare organizations.  This means that while following the HIPAA Security Rule, you could grant a business associate a user identification to access your systems and rely on the tracking on their end to uniquely identify that user.

Trusting your business associate to handle the tracking of unique user interactions with your systems can provide great benefit to you.  If a business associate’s staff member calls in sick or is out on vacation, a substitute can utilize the user access account while still being tracked on the business associate’s end. More than likely, you wouldn’t even feel the difference!

Requiring unique access for each user in your system creates much more of a burden on you – and it’s not required by the HIPAA Security Rule.  If the business associate’s staff member called in sick, do you really want to drop everything you are doing to obtain the substitute’s name and information required for a login, grant a temporary password, troubleshoot when the password doesn’t work, etc.? No! You hired the business associate so you can go on with your day and not even know they are there.

Trusting your business associate to properly track access and use of their credential(s) to your systems relieves the headache of creating unique credentials, managing passwords, and the many other hurdles that come with access management for employees other than your own. If ever there is a need to account for who was in a chart or system at a specific time, the business associate should be able provide that information to you with their own tools to meet the HIPAA Security Rule requirement.

Get rid of the staff turnover and credential headache

This credential regulation can cause great nuisances for any organization’s administrators. Every time there is staff turnover new credentials must be created, employees need to be trained to access the electronic PHI, and proper permissions established.  If you are tired of wasting your precious time on giving new employees access to your systems and handling the re-training, a business associate partner like ScanSTAT Technologies can help.

ScanSTAT utilizes a HIPAA-compliant virtual workspace where our employees securely operate and are monitored to execute HIM tasks like records release and filing on your behalf. With this system implemented, ScanSTAT avoids being handcuffed by the logistics of having onsite personnel taking your space and drinking your coffee, while also complying with the HIPAA Security Rule unique user requirement.  Find out how we can take the burden of staff turnover and access to your medical records by requesting a demo today.