Please upgrade your browser

Avoid HIPAA problems: Don’t share your password for medical records

October 18th, 2017 | Posted in Professional Skills

If you work for a health care organization or have your own advocacy business, remember to practice safe use of passwords into the medical records system to avoid problems with HIPAA.

A new survey notes that health care workers commonly use each other’s passwords, representing a danger for both protection of patient information and the potential of costly fines.

The survey results, published in the July 2017 issue of the journal Healthcare Informatics Research, showed that out of 299 “medical and paramedical personnel” asked, 73.6% said “they had obtained the password of another medical staff member” and, among those who had admitted it, used it almost five times.

The paper refers to the HIPAA risk of these illicit transfers. For one thing, the HIPAA privacy rule “requires that a person access only the portion of a record ‘minimally necessary’ to fulfill their function,” says Wayne J. Miller, health care law attorney and partner at Compliance Law Group in Los Angeles.

“So it’s conceivable that using, say, a doctor’s access information will enable access to more information than a staff person may need for their role.” That leaves open the possibility of all kinds of violations. “First, an organization is supposed to keep track of ‘excess’ access — that is, beyond the minimum needed,” says Miller. “If they don’t, that’s a violation right there.”

Take a common-sense approach

HHS hasn’t been good about clarifying what they mean by minimally necessary, says Elizabeth G. Litten, partner and HIPAA privacy & security officer with the Fox Rothschild law firm in Princeton, N.J. “When the omnibus rule came out in 2013, HHS said they’d give guidance on the meaning of ‘minimum necessary’ — but they have not done so,” she says.

Given that lack of guidance, Litten suggests you “apply common sense in terms of scope and context of access.” The issue is not the passwords so much as the legitimacy of the worker’s access to the protected health information (PHI) in the file, she says.

“Within a health care facility, people who are involved in the treatment of a patient or in payment or operations, such as QA [quality assurance], have appropriate reasons to access PHI,” even if they lack credentials. On the other hand, “someone who has nothing to do with the subject, a staff member looking up information on a famous person or an ex-boyfriend of a sibling,” shouldn’t be accessing the file “even if their credentials allow them to do so,” she says.

What could go wrong

Staffers’ habit of password-swapping can lead to negative secondary effects, notes Dodi Glenn, vice president for cybersecurity at PC Matic.

“Think about the medical records or medication distribution and if something was recorded incorrectly,” Glenn says. “Who would be accountable? No one would know because several people could have entered that note or dosage with the same credentials.”

Also, terminated employees whose own credentials are revoked may retain borrowed credentials if passwords have been swapped. HIPAA fines on unauthorized access of patient files by terminated employees have run into the millions, and password sharing just makes that risk greater.

Finally, says Glenn, “if the privacy of user credentials is lackluster, it may create an environment that enables a lack of privacy in general.”

3 ways to stop swaps

Your organization may take these steps to avoid problems:

  • Prevent concurrent login sessions. “Only allow the account to be logged in during one instance and not multiple ones,” says Glenn; if Joe can’t work while Jane is using his credentials, he’ll be less likely to lend them out. The system should be set to disallow concurrent logins from one ID.
  • Biometric authentication, such as fingerprint access. “If an employee is terminated, they cannot take their coworker’s fingerprint with them,” says Glenn. Litten also likes two-factor authentication, “a requirement for some other piece of info to show you are who you say you are.” Some EHR companies such as Allscripts offer these services.
  • Make swapping less necessary. Employees borrow credentials because it’s more convenient than going through the often cumbersome process of getting their own. Make it less cumbersome and that will reduce the problem. “I think you can talk to your EHR [electronic health record] vendor and see if there’s a way to give staff temporary access to the system when needed — approved, say, for one-time use to see a record,” says Litten. — Roy Edroso (