As a covered entity or a business associate under HIPAA, having adequate access and audit control is required to prevent unauthorized access to electronic protected health information (ePHI). It access boils down to answering these two questions:
- Who needs access to ePHI in the organization?
- How much ePHI access is needed by an individual to perform his/her job?
Take these steps to secure, monitor and manage ePHI access in your organization:
- Follow the Minimum Necessary Principle -Limit ePHI access to only those individuals who need it to perform their duties AND limit the scope of ePHI access to only that is required for the job. Every staff member in your organization doesn’t need access to ePHI or even the same level of ePHI access. Be stingy in handing out ePHI access privileges.
- Have a well written access policy and procedure in place that clearly communicates the approval procedure for granting ePHI access to an individual.
- Implement audit software that can generate the list of individuals with ePHI access, provide a log of recent access activity and alert management to any attempts to gain unauthorized access to ePHI.
- Implement policy that mandates periodic audits of the ePHI access procedure and revoke or grant access privileges as needed.
- Train employees on their ePHI security and compliance responsibilities
- Have all documentation readily available in case of an audit