Sorry, you have Javascript Disabled! To see this page as it is meant to appear, please enable your Javascript! See instructions here

Access Management

MARLENE MAHEU, PhD

July 26, 2019 | Reading Time: 2 Minutes

 406

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

Limiting PHI Exposure (Part IV): Access Management

What is Access Management?

As part of the HIPAA Privacy Rule, user access to PHI must be restricted to the “minimum necessary” that allows the individual to perform his or her job functions. Consequently, HHS requires healthcare organizations to have information access management systems in place. Access management controls which individuals can view certain information. For example, someone working in the billing department doesn’t need access to patient medical records, just as nurses don’t need access to patient’s financial information.

An organization must:

Give users unique login credentials
Restrict users from sharing their login with others
Have the ability to attribute actions to specific individuals
Restrict network access based on their job function
Review network access for individuals who change roles within the organization
Enforce the use of secure passwords
Monitor logon and logoff activity

Access Management Using Multi Factor Authentication (MFA)

The government recommends that organizations implement multi-factor authentication (MFA) to control which users, within an organization, have access to what information. MFA uses multiple security factors to identify an individual, such as a password in combination with a biometric scan. A biometric scan is a security identification device that uses fingerprints, facial images, iris, or voice recognition to identify an individual.

Users must use two of the following security factors to gain access to information:

“Knowledge” factor: a password or PIN
“Possession” factor: a one-time access code generated by a secure mobile app
“Inherence” factor: a biometric scan
“Location” factor: a specific location that can verify your identity

Not only does HHS mandate organizations restrict access to PHI, it also requires authorized users to have easy access to PHI. As such, the most effective authentication system for healthcare organizations is a single sign-on system (SSO). SSO allows individuals to use one set of login credentials to access multiple applications, maintaining the enhanced security of MFA while allowing for quick access to records.

$5.5 Million Fine Issued for Unauthorized Access

To put this into perspective, Memorial Healthcare Systems (MHS) in Florida was recently fined $5.5 million for failure to implement adequate access controls. An employee of MHS had used the login credentials of a physician to illegally access the records of 80,000 patients. Had the organization implemented multi-factor authentication, the breach and the subsequent fine could have been avoided.

This is Part IV of the XI-part blog series. You can also read Parts I to III below:

Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the third of which is access management. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience. This current article is Part IV of that XI-part series.)

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Telepractice: Telehealth Law & Ethics Implementation Workshop

Comply with federal, state, national accreditation and association requirements for telehealth documentation.

Telehealth Law & Ethical Course Bundle

This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.