[ Thursday, February 17, 2005 ]
Limiting access to PHI:
You know you are supposed to limit access to PHI to only those employees with a need to access that PHI. Some of the most high-profile HIPAA breaches involve healthcare employees looking at information they shouldn't have access to, because the patient is of interest to them (usually, it's a nurse or doctor looking at information on a family member or friend who is in another part of the hospital, or looking at information on a famous hospital resident - such as President Clinton).
The best way to limit access to PHI is to tie access to the role the employee plays in the organization. Receptionists need to know scheduling information and sometimes clinical information such as what tests will likely be ordered, but generally don't need access to the whole patient file. Nurses on one floor or station don't need information on patients on another floor or station.
How do you figure out what type of role-based access you should implement? Start by figuring out how PHI travels and is used throughout your organization. See where PHI comes into contact with various jobs. Then, attach relevant access rights to particular job descriptions. Use audit logs to track who is accessing what PHI, and investigate whether the access is appropriate or not. That can also allow you to fine-tune your role-based access rules. Finally, be prepared to review and revise your role-based rules periodically, since certain job positions will "creep" into other responsibilities, and your organization will constantly be evolving in the way it uses and transmits information, and you need to keep up with those changes.
Finally, I highly recommend what my friends in Louisiana call the "object lesson." You need to tell your employees that you will be closely monitoring their access to and usage of PHI, even if you're not looking all that closely; it is much more important that they think you will be doing it, than that you are actually doing it. And when you find someone who has improperly accessed PHI, such as the employee looking at a family member's chart, fire them. Teach the rest of the staff an "object lesson" that improper access will be caught, and improper accessors will be fired. Again, it is more important that your staff think they will be caught than that they actually be caught. You won't be able to catch every scofflaw, but you can prevent good people from being tempted to become scofflaws by putting the fear of God into 'em.
Jeff [11:50 AM]
Blogger: HIPAA Blog - Edit your Template