Health Information Compliance Alert

READER QUESTION:

User Identification and Sharing PHI

Question: Regarding the security rule's user identification requirements: If one wanted to have a limited read-only report containing PHI on a PC screen, and all that was displayed on the PC screen was the report, would this be a definite violation of the requirements?  In this case, only key staff would have access to the information. What does HIPAA have to say about this?


California Subscriber


Answer: "This is the one place the guidance for the final [security] rule differs from the proposed rule," says Fred Langston, CISSP, senior principal consultant with Guardent in Seattle. Due to input from nursing groups that work in hospital environments like ERs and CCUs, the user identification rule has been relaxed to allow for group accounts shared in this environment. 

This kind of arrangement can't be just for convenience, warns Langston; it should be driven by a business' functional need and would require all the elements the reader described.

Other Articles in this issue of

Health Information Compliance Alert

View All