Covered Entity and Business Associate workforce members must be aware of their responsibilities when given access to information systems that create, receive, transmit or maintain electronic Protected Health Information (ePHI). Such access is a privilege and should only be used for legitimate, job-related activity.  Typically, employees must sign a Confidentiality and Acceptable Computer Use Agreement at least once a year. Appropriate use of information systems apply to all workforce members regardless of tenure or rank.


The HIPAA Security Final Rule requires organizations to create audit trails that record user activity, including the specific records, dates and times that records are accessed.

Accessing the accounts of friends, celebrities, relatives, coworkers, or other individuals is strictly prohibited unless you are specifically required to do so as part of your work-related responsibilities. You should not access any account unless you have a specific job-related need to do so. Snooping is not a permissible activity. Do not look up an individual’s information because you are curious, concerned or as a favor for someone else. How would you feel if someone was looking through your medical or financial records for non-professional reasons?  How would you feel if others were gossiping about the most sensitive medical secrets of your mother, father, son or daughter?

Most organizations routinely monitor systems access and look for inappropriate access.  Such access can result in disciplinary action up to, and including termination. In this regard, employees must guard their authentication credentials such as username and password. Do not ever share your userid or password.

You do not wish to be held accountable for actions committed by another workforce member using your username and password. If you suspect your password has been compromised, please change it immediately. Requirements to use strong passwords and change them on a regular basis are not meant to irritate but to protect.

When displaying or accessing sensitive information do not leave your workstation unattended for any extended period of time.  Before leaving, lock your workstation and/or close the relevant application (Windows users can use <Ctrl+Alt+Del> and select Lock computer). Use of a password-protected screensaver which activates after a suitable time (15 minutes or less, as suited to your environment) is recommended in case you are unintentionally away for longer than expected.

The complete HIPAA Privacy and Security regulations are here.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group:
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Series Navigation<< HIPAA Privacy and Security Reminders – Upcoming Talk – HIPAA-HITECH Enforcement RevolutionHIPAA Privacy and Security Reminder – Understanding Medical Identity Theft >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.