Role Based Access Control for HIPAA Security

Not everyone is created equal in healthcare.

By: Tod Ferran

Everyone has his or her own role at an organization. The receptionist checks patients in. The nurse takes blood pressure. The physician diagnosis and determines treatment for the patient. The surgeon operates on the patient. What would happen if the receptionist just decided to switch roles with the surgeon for a day? I’d say that’s a one-way ticket to a malpractice lawsuit.

The same idea applies to PHI access across an organization, and it’s called Access Control (§ 164.312(a)(1)).

The Security Rule defines user access as “the ability or means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”

Healthcare providers are responsible to make sure those with access to ePHI require that access to adequately do their jobs. For example, a receptionist doesn’t need access to patient X-ray files to fulfill her daily responsibilities.

It’s important to recognize that the minimum amount of information needed for a person’s job role will determine their user privileges.

Tweet

Role-based access control

One of the best ways of correctly setting up user privileges is by role. First, define roles that correspond to your organization’s structure. Hospitals will likely have 20+ different roles. Physician offices will probably have less than 10.

Each role is then assigned the minimum amount of access required for an employee to perform his or her job. This access determines their level of network access.

SEE ALSO: HIPAA Compliant Passwords

User access isn’t limited to your normal office staff. It applies to anyone who needs access to your systems or the area ‘behind the desk’. I’m talking about that IT guy you hired on the side to update your EMR software. What kind of user permissions does he have? What should he have?

Sample roles that should probably have different access permissions (in no particular order)

• Receptionist
• Provider
• Med student
• Staff nurse
• Nursing manager
• Third party IT
• Physician assistant
• Night security
• Specialist
• Radiologist
• Administrator
• Dentist
• Volunteer

How to implement access controls

• Electronic systems: Usernames are a great way to segment users by role. It also gives you a way to track specific user activity. The first question you need to ask yourself is, does each staff member have a unique user ID? If not, that’s a great place to start…not to mention it’s a HIPAA requirement.
• Physical: Make sure anyone not on your regular staff is escorted around the office by a staff member. For patients, don’t leave them unattended with logged-in equipment. For everyone else, document their name, reason for being at your organization, what company they’re from, and what they look like. If you haven’t worked with this person before, call the company and verify their name and physical description.

Geez! Why all the restrictions?

I’m sure you can see how role-based access to PHI is important for HIPAA compliance, but access controls aren’t necessarily all about HIPAA. It’s important that only those with administrative privileges can download software onto a machine, or access certain programs. By restricting access to program and application management, it lowers the chance of malware entering the system.

Have a HIPAA security question? Leave a comment and you may see your question answered on the next HIPAA Snippets video.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.