QUESTION: Our company sponsors a self-insured health plan, and employees who perform plan administration functions have access to electronic protected health information (PHI). How do we control access to PHI to comply with the HIPAA security rule?
ANSWER: The HIPAA security rule applies to electronic PHI created, received, maintained, or transmitted by health plans or their business associates. When users are able to access electronic PHI, the access control standard under the HIPAA security rule must be considered. This standard includes four implementation specifications: unique user identification; emergency access; automatic logoff; and encryption and decryption.
When developing security measures consistent with these implementation specifications, you may wish to consider the Health Industry Cybersecurity Practices (HICP) developed by a task group convened by HHS. In technical volumes, the HICP identifies “best practices” to mitigate security threats. HICP security measures relevant to access control include, for example, the following:
Access Parameters. Tailor access for each user based on the user’s specific workplace requirements. Access should be role-based, providing the minimum necessary access for users to perform their job functions involving use or disclosure of electronic PHI.
Separate Accounts. Assign a separate user account to each user in your organization; shared or generic accounts should be avoided. Require users to create complex passwords, with reminders that passwords should be different from those used for users’ personal accounts. Train and regularly remind users that they must never share their access credentials. Implement multifactor authentication for users to gain access to their unique accounts.
Automatic Lock and Log-off. Configure systems and endpoints to automatically lock out and log off users after a predetermined period of inactivity.
Modify and Terminate User Access. When a user leaves your organization, execute procedures to terminate the user’s access immediately to prevent former users (who may have improper motives) from accessing PHI. This is especially important for organizations using cloud-based systems where access is based on credentials, rather than physical presence at a particular computer. Similarly, if a user changes jobs within the organization, it is important to modify access based on the requirements of the new position.
Although you asked about the HIPAA security rule, keep in mind that the HIPAA privacy rule also includes requirements for plan sponsors’ employees who use or disclose PHI (paper or electronic). For example, access to PHI must be limited to employees performing plan administration functions; the PHI must not be used for employment-related purposes; separation must be maintained between employees with access to PHI and other employees; and various administrative safeguards must be adopted.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIII.C (“Sharing PHI and Electronic PHI With Plan Sponsors”), XXIX (“Security Requirements: General Concepts”), and XXX.D (“Core Security Requirements: Technical Safeguards”).
Contributing Editors: EBIA Staff.