Giving out protected health information (PHI) to everyone and anyone who inquires? Sure, we know most medical practices are wise enough to understand this would be a severe violation of HIPAA compliance laws. Most healthcare organizations may also know the importance of antivirus for computers, securing offsite data backups and other best practices for HIPAA but one area often overlooked is controlling the staff’s appropriate access to PHI and ePHI. 

Knowing the ins-and-outs of what is considered ‘appropriate access’ to patient data – i.e., giving only access that is necessary for staff to complete job functions and not carte blanche access to your data – can be confusing. COVID-19 has made several HIPAA regulations even more complex with thousands of healthcare workers across the nation finding themselves transitioning to remote operations with reduced hours or even facing layoffs or furloughs. These operational changes have caused some additional confusion as to when a practice must change or limit employee access to PHI. Adding to the complexity is attempting to ensure all staff are following appropriate guidelines when remotely accessing ePHI.

Due to knowledge and time constraints for most independent medical practices, this can be so daunting that it is largely ignored. Access to patient records by staff must be limited to authorized business purposes only, regardless of the setting. Essentially, the only time an employee should view PHI is when it is necessary to effectively perform their job duties or with written permission from a patient. Some of these purposes include:

• Treatment 
• Payment 
• Healthcare Operations 

Accessing patient records for reasons other than those necessary to complete job responsibilities is not permitted (ever, COVID-19 or not) and is otherwise considered a violation of patient privacy. It is a requirement under HIPAA to maintain access logs for this very reason – to identify any inappropriate access to PHI. Appropriate access isn’t just a best practice, but a key part of the Privacy Rule under HIPAA and grounds for HIPAA fines if noncompliance is discovered. Recently, more than 50 employees at a hospital in Chicago were fired immediately after it was discovered that they inappropriately accessed and viewed the medical records of an actor who had been treated at the facility. Nearly 80% of healthcare executives say that employee security awareness is amongst their greatest concern – making it even more essential that staff members are properly trained on appropriate access policies. 

If you’re currently working from your kitchen table in your pajamas (no judgment, us too) you may not be aware of the additional threat you now pose to the security of patient data. Remote work environments, while critical in today’s climate, introduce less secure home networks and fewer safeguards than you might find in your office. It becomes even more essential to mitigate new threats by ensuring your staff knows not only appropriate ways to access data but are only accessing the minimal amount of data necessary to complete their job responsibilities. You can read our recent article for additional tips on how to safeguard data while working remotely here.  

Unfortunately, in the current economic climate, many healthcare organizations are resorting to furloughing staff. This can add unprecedented challenges for practices trying to control appropriate access to protected health information. Even if an employee will be returning to your practice, there should still be a process in place to limit their access to PHI while furloughed. Removing access can be done by revoking the employee’s login credentials to the practice’s EHR system, recollecting any key or keycard they were given, or other security measures deemed necessary to limit their exposure to sensitive patient data. It’s important to keep in mind that any access removed can be restored when furloughed employees are brought back, but limiting access temporarily will help prevent unauthorized disclosures. Other helpful tips to keep in mind with appropriate access are:

• Assign different levels of security clearance to control role-based access to certain data. Staff only need access to information that pertains to their specific duties rather than full access to all patient data.
• Never share passwords or login credentials between staff members. Each employee should have their own user ID and password assigned to them so if they are terminated for any reason, layoff or not, it is easy to remove their specific credentials and ensure they will not have any further access to ePHI.

Ensuring PHI is accessed only when necessary is essential to protect medical practices and patients. Just as a practice doesn’t share financial information with all staff, sensitive patient data should have similar appropriate restrictions. During this difficult time, it is all the more important to have proper access policies in place and guidelines to guarantee the safety and security of patient data. Whether at home accessing PHI in your PJ’s, or looking to the future when we’re all back in our offices once again, appropriate access is key to essential data privacy.