Case Study – Controlling who accesses your ePHI

HIPAA is mostly concerned with patient privacy. This is to protect who does what with their data. one of the parts of this is controlling who accesses your ePHI. One practice found out how expensive it can be when they didn’t control that access.

What happened?

Pagosa Springs Medical Center (PSMC) in Colorado suffered a breach of 557 patient records when a terminated employee accessed ePHI after their termination. The employee accessed the patient calendar on two separate occasions over the course of two months. In addition, PSMC didn’t have a business associate agreement (BAA) with Google for disclosing ePHI. The investigation by the Department of Health and Human Services found that PSMC had not performed their due diligence in obtaining a BAA from Google.

Accessing patient records when no longer employed by a Covered Entity is a violation of HIPAA regulations.

What was the result?

Due to the breach, PSMC was required to pay a fine of $111,000. In addition, it were given a 2 year corrective action plan that stipulated that it must update its security policies and obtain BAAs with any third party that had access to its PHI. In addition, PSMC must designate an individual to be responsible to ensure that all third party vendors are engaged with a BAA.

“It’s commonsense that former employees should immediately lose access to protected patient information upon their separation from employment,” OCR Director Roger Severino said in a statement.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

How do you control who accesses your ePHI?

The most common way to control who accesses your ePHI is a username and password. All EMR systems available to physicians today make use of this security mechanism. This is true of both cloud based or server based EMRs. In the case of PSMC, this was not disabled after the employee was terminated. This allowed the employee access afterwards.

Another mechanism is logging. Logging will show who accessed what and when they did it. This makes tracking down breaches or impermissible use a lot easier. Most EMR systems have detailed logging systems for which user account accesses what records.

Onboarding and termination procedures can also be very useful for practices. When employees are terminated, a lot is going on. Searching for a replacement and training them is often the most consuming part. However, removing a former employee’s access is critical. An easy way to manage this is with an onboarding/termination policy.

The first step is to decide what items need to be completed each time an employee is hired. This can be documentation that needs to be filled out, HIPAA training but also access for them to perform their work related tasks.

Once you have the list of items, create a checklist of these items that must be done when a new employee is hired.

Here are some examples:

  • Computer access
  • EMR access
  • Email account
  • Online payor portals
  • Phone extension
  • Voicemail
  • Key to building
  • Mobile devices issued by the practice
  • Social media access on behalf of the practice
  • Tax documents
  • HIPAA training
  • Personal mobile device policy training
  • Internet usage training

Once you have your checklist, use it for each employee that your practice hires. Put the completed checklist in the employee’s file. This should be a repeatable process that you can do each time someone is hired.

When the employee leaves, simply follow the list in reverse to ensure that nothing is missed. You could also create a termination checklist to achieve the same result. Follow the checklist and then add it to your HIPAA documentation. In the event of an audit, the documentation will be there that you performed the necessary tasks.

Over time, update your checklists to ensure that they are still relevant to your situation. 10 years ago, most practices didn’t use mobile devices on a daily basis.

Summary

Controlling who accesses your ePHI is one the most important parts for a practice (or business associate). When an employee leaves, their access must be removed. Not doing so could result in an expensive fine as PSMC found out. Create your own checklists to make sure that you don’t miss anything when an employee leaves. Be sure to keep these lists in your documentation in the event of an audit.