[ Tuesday, August 23, 2005 ]
Here's something I hadn't thought about, since I'm not an in-house lawyer: when employees of a covered entity change jobs or assume new responsibilities, it's possible (perhaps even likely in loosly-organized physician practices or other covered entities) that the employee's access requirements
will change, but often there's no change in the employee's access rights
. In other words, when an employee that goes from a clinical job where access to all PHI is required to an administrative job where only access to billing information is required, often the covered entity won't change that employee's access rights, which could allow that employee to access PHI that he or she shouldn't. Hospital Compliance Wire has a few tips for preventing this: First, make access rights based on the role of the employee, not the identity of the employee. There's even a good acronym for this: RBAC (role-based access control). Works for Mammoth Hospital
in Mammoth Lakes, California, according to their info sec officer Greg Young (I only mention that because that's where I'm going skiing
this spring). Second, make the departments accountable for determining and controlling access, based on RBAC rules. This way, when an employee changes departments, the new department redefines the employee's access, and prevents access creep. Third, keep a regular access maintenance program, such as requiring departments to ensure access is appropriate for all department employees on a regular (e.g., semi-annual) basis.
Again, if your organization has a loose org chart, and people do not have clear departmental designations or responsibilities, this may be harder to do. But if you've got a strict heirarchy, this is a good way to keep access closed where it should be closed.
Jeff [10:06 AM]
Blogger: HIPAA Blog - Edit your Template