I totally disagree - this is absolutely a HIPAA Security violation. HIPAA Security requires you to ?Implement policies and procedures to prevent, detect, contain and correct security violations.?
How can you tell who accidentally released a patient medical record if you don't have each person logging in with their own login?
The Security rule says you must ?Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.?
How can you review accurate access reports if each person isn't identifiable by a unique login?
And, under the workforce security standard, it says you must ?Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under [the Information Access Management standard], and to prevent those workforce members who do not have access under [the Information Access Management standard] from obtaining access to electronic protected health information.?
Further, under AUTHORIZATION AND/OR SUPERVISION (A) ? ? 164.308(a)(3)(ii)(A) Where the Authorization and/or Supervision implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must:
?Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.?
WORKFORCE CLEARANCE PROCEDURE (A) - ? 164.308(a)(3)(ii)(B)
Covered entities need to address whether all members of the workforce with authorized access to EPHI receive appropriate clearances. Where the Workforce Clearance Procedure implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must:
?Implement procedures to determine that the access of a workforce
member to electronic protected health information is appropriate.?
In other words, the clearance process must establish the procedures to verify that a workforce member does in fact have the appropriate access for their job function.
There is a lot more I could paste, but the point is, you must not all use the same login.
You can read more at
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
It sounds to me like your office needs to do a risk analysis to determine areas that need to be addressed and updated.