One of our readers just wrote in with a very timely question. “I recently heard that a type of access report was going to be required by HIPAA so that clinicians can see who and when (someone) accessed a specific patient’s data. I was wondering if you could comment on this …”. Actually, perfect timing Mike! Here’s why…
It is very apparent that HIPAA enforcement is in effect, on the upswing and the consequences are serious. The recently announced resolution agreement between OCR and UCLA Health System (UCLAHS) provides insight into three key concepts in the HIPAA Security Final Rule and the Privacy Final Rule.
The short answer to Mike’s question is: YES! In fact, it’s not “going to be required by HIPAA” … it has been required in the HIPAA Security Final Rule since April 2005. As they say, not a news flash!
As stated in the HHS/OCR Press Release announcing the Resolution Agreement…
The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints alleged that UCLAHS employees repeatedly and without permissible reason looked at the electronic protected health information of these patients. OCR’s investigation into the complaints revealed that from 2005-2008, unauthorized employees repeatedly looked at the electronic protected health information of numerous other UCLAHS patients.
Through policies and procedures, entities covered under HIPAA must reasonably restrict access to patient information to only those employees with a valid reason to view the information and must sanction any employee who is found to have violated these policies.
Although the focus in the UCLAHS case is on “Access” (one key concept), the other important concepts here are “Information System Activity Review” and “Auditing”. Let’s take a look at what’s required of all Covered Entities and Business Associates:
Access means “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.” Access Control is a key safeguard and domain in every information security framework.
In the HIPAA Security Final Rule, “Information system activity review” is a Required Implementation Specification under the Security Management Process Standard (45 CFR § 164.308(a)(1)) Security Management Process. CEs and BAs must “Implement procedures to regularly regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”
The Audit Controls Standard (45 CFR § 164.312(b)(1)) requires organizations to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
BOTTOM LINE: YES, Mike, you must: 1) first and foremost restrict access to those and only those who must have it and restrict those who don’t; 2) Implement ways to keep track of who accessed which individual’s records, how and when; and, 3) Regularly review these records to identify anomalies, violations etc.
It’s fair to say this is not your father’s HHS enforcement! Again, from the press release regarding OCLAHS’ Resolution Agreement,
“Covered entities are responsible for the actions of their employees. This is why it is vital that trainings and meaningful policies and procedures, including audit trails, become part of the everyday operations of any health care provider,” said OCR Director Georgina Verdugo. “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.”
“Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity,” said Director Verdugo.
Here at Clearwater Compliance, we are committed to helping covered entities and business associates across the healthcare industry become and remain compliant with the regulations while protecting the personal and intimate health information of Americans. Please contact us with any feedback or questions you may have.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.