When it comes to configuring your EHR’s security to protect Electronic Protected Health Information (EPHI) it is important to consider the security requirements mandated under HIPAA. Some great resources on this subject can be found at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
We’ve taken the following excerpts from the Administrative Safeguards guide:
PASSWORD MANAGEMENT – 45 C.F.R. § 164.308(a)(5)(ii)(D)
An important step in protecting electronic protected health information is to implement reasonable and appropriate administrative safeguards. One of the addressable specifications under the law is Password Management. Where the implementation specification is a reasonable and appropriate safeguard, covered entities must implement:
“Procedures for creating, changing, and safeguarding passwords.”
Covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles.
The second safeguard to consider is Authorized Access, while there are multiple guidelines that address access levels I will point out the primary one that establishes the need for granting appropriate access:
AUTHORIZATION AND/OR SUPERVISION- 45 C.F.R. § 164.308(a)(3)(ii)(A)
Where the implementation specification is a reasonable and appropriate safeguard, covered entities must :
“Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.”
This specification provides the necessary checks and balances to ensure that all members of the workforce have appropriate access (or, in some cases, no access) to EPHI. Restricting access to only those persons with a need for access is a basic tenet of security.
For the complete text and for further information visit www.hhs.gov/ocr/hipaa