Who has access to PHI? Should they?
That was the title of an early January eblast to our subscribers where we talked about insider risk and audit controls. Then OCR sends out an email about a recent $5.5 million settlement with Memorial Healthcare Systems (MHS) about PHI being “impermissibly accessed” and “impermissibly disclosed” to doctors’ staff.
The email serves as an expensive yet imperative reminder of how important audit controls are to protecting PHI. MHS didn’t follow the HIPAA Security Rule’s proper access controls, didn’t address risks it had identified as part of risk analyses conducted from 2007 to 2012 and has paid the price. Unfortunately, those whose PHI was shared with far more people than necessary still lose, because the information can’t be unseen.
It begs the question: Why do so many people get access to ePHI who clearly don’t need that access? As we’ve talked about in a previous blog article, “Who has access to your healthcare data?” the insider risk is all too real.
It’s worth repeating that training won’t stop bad people from doing bad things. However, often the privacy breach is due to inadequate monitoring of health information access, especially when you’ve noted that is a risk yet have done nothing about it. Someone with no malicious intent yet had no reason to access to ePHI can wreak unintentional havoc.
6 Essentials for ePHI Access & Monitoring
- Train everyone. While it’s not a cure-all, the need for regular (at least semi-annual) privacy and security training cannot be overstated.
- Don’t hesitate to do a thorough screening of every employee who could potentially have access to or cause risk to ePHI.
- For those who will have access, be sure that their access is appropriate to their “need to know.” Maybe it’s time to get more stringent.
- Conduct regular, timely audits of PHI access logs. Many organizations audit but far too infrequently. Step it up to reduce breach risk.
- Review employee access to PHI on a regular basis to make sure someone who has left your organization no longer has access to your patients’ PHI.
- Review and possibly revise your current audit control protocols.
What are your action steps? If you’re not sure, or if you want to see if your prevention measures are where they need to be, give us a call at 877-376-1981. We’ll discuss best next steps for your ePHI protection planning.
In the interim, we suggest you download the Common Sense Guide to Mitigating Insider Threats, 4th Edition, from US-CERT (U.S. Computer Emergency Readiness Team).