Sounds pretty basic, but please assure me you’re not sharing User Ids and Passwords among members of your workforce.  The HIPAA Security Rule requires Covered Entities and Business Associates to implement a “Unique User Identification” standard for systems holding electronic protected health information (EPHI). Unique User Identification is a “required” specification under the Access Control standard and should be employed for all information assets that create, receive, transmit and maintain ePHI.  For members of the workforce, no sharing!

As the name implies, unique user identification refers to the use of a unique name or number to identify and track specific individuals handling ePHI.  Frequently referred to as “Logon name” or “User ID”, use of this unique name or number provides a means to verify the identity of the person using the system. An effective unique user identification practice ensures that system activity can be traced to a specific individual. Never share your user ID on any system as you would not like to be held responsible for someone else’s actions.

System Administrators should perform ongoing maintenance of user identification data. User identifications that are not associated with active workforce members (such as those of former or transferred members of the workforce) present an increased risk for abuse. User identifications provided to consultants and vendors should also be removed or disabled as soon as no longer needed. System Administrators may wish to temporarily disable accounts for workforce members leaving for extended periods with no need to access the system, such as medical/family leave or vacations.

What policies and procedures do you have in place to ensure you are compliant with this required implementation specififcation?

The complete HIPAA Privacy, Security and Breach regulations are here.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group:
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Series Navigation<< HIPAA Privacy and Security Reminders – Security OfficialHIPAA Privacy and Security Reminders – Sanction Policy >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.