Wiki HIPAA Violation of sharing staff job logins??

[TThivierge]

Hello
Does anyone think sharing staff logins to show transmitting of insurance claims and creating fiscal reports and posting payments is in violation of the HIPAA Security Rule ?

 

[sarahphillips]

absolutely

 

[Pam Warren]

I'm not sure it's a HIPAA violation per se. HIPAA addresses the unauthorized release of PHI to individuals outside the care organization who would otherwise have no need to know. I'm assuming that all of your employees post payments, run reports and send claims, so I'm not sure any specific HIPAA violation has actually taken place, unless the person using the login has another function that would normally not bring them into contact with PHI. Remember also, that HIPAA doesn't entirely protect information needed to bill claims. That's a common misconception.

What you've described is more of an organizational issue. Logins are created for individuals so that errors, problems or breaches can be tracked through an audit of user logins. When you share a login, you're essentially allowing someone to become 'you', and anything that they do will be linked back to you. In my organization it can be grounds for dismissal.

I think your group should tighten up security because what you're describing is a risky practice.

 

[mitchellde]

It may not be a HIPAA violation but it might be Social security act violation. I would check with your health care attorney to be sure. I think the question is, why doesn't each staff person that performs these functions have their own log in credential? With sharing of log ins how can you assure your patients/clients that there is no unauthorized access? As an employee I would protect my log in and not allow any one else to have it.

 

[cyndeew]

I totally disagree - this is absolutely a HIPAA Security violation. HIPAA Security requires you to ?Implement policies and procedures to prevent, detect, contain and correct security violations.?

How can you tell who accidentally released a patient medical record if you don't have each person logging in with their own login?

The Security rule says you must ?Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.?

How can you review accurate access reports if each person isn't identifiable by a unique login?

And, under the workforce security standard, it says you must ?Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under [the Information Access Management standard], and to prevent those workforce members who do not have access under [the Information Access Management standard] from obtaining access to electronic protected health information.?

Further, under AUTHORIZATION AND/OR SUPERVISION (A) ? ? 164.308(a)(3)(ii)(A) Where the Authorization and/or Supervision implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must:

?Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.?

WORKFORCE CLEARANCE PROCEDURE (A) - ? 164.308(a)(3)(ii)(B)
Covered entities need to address whether all members of the workforce with authorized access to EPHI receive appropriate clearances. Where the Workforce Clearance Procedure implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must:

?Implement procedures to determine that the access of a workforce
member to electronic protected health information is appropriate.?
In other words, the clearance process must establish the procedures to verify that a workforce member does in fact have the appropriate access for their job function.

There is a lot more I could paste, but the point is, you must not all use the same login.

You can read more at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html

It sounds to me like your office needs to do a risk analysis to determine areas that need to be addressed and updated.