Covered Entity and Business Associate workforce members must be aware of their responsibilities when given access to information systems that create, receive, transmit or maintain electronic Protected Health Information (ePHI). Such access is a privilege and should only be used for legitimate, job-related activity. Typically, employees must sign a Confidentiality and Acceptable Computer Use Agreement at least once a year. Appropriate use of information systems apply to all workforce members regardless of tenure or rank.
The HIPAA Security Final Rule requires organizations to create audit trails that record user activity, including the specific records, dates and times that records are accessed.
Accessing the accounts of friends, celebrities, relatives, coworkers, or other individuals is strictly prohibited unless you are specifically required to do so as part of your work-related responsibilities. You should not access any account unless you have a specific job-related need to do so. Snooping is not a permissible activity. Do not look up an individual’s information because you are curious, concerned or as a favor for someone else. How would you feel if someone was looking through your medical or financial records for non-professional reasons? How would you feel if others were gossiping about the most sensitive medical secrets of your mother, father, son or daughter?
Most organizations routinely monitor systems access and look for inappropriate access. Such access can result in disciplinary action up to, and including termination. In this regard, employees must guard their authentication credentials such as username and password. Do not ever share your userid or password.
You do not wish to be held accountable for actions committed by another workforce member using your username and password. If you suspect your password has been compromised, please change it immediately. Requirements to use strong passwords and change them on a regular basis are not meant to irritate but to protect.
When displaying or accessing sensitive information do not leave your workstation unattended for any extended period of time. Before leaving, lock your workstation and/or close the relevant application (Windows users can use <Ctrl+Alt+Del> and select Lock computer). Use of a password-protected screensaver which activates after a suitable time (15 minutes or less, as suited to your environment) is recommended in case you are unintentionally away for longer than expected.
The complete HIPAA Privacy and Security regulations are here.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016