HIPAA & Staff Accounts

An important part of being HIPAA compliant is up to users. It is essential that ResiDex users do not share their login usernames. The ResiDex username/password locking system is a very important part of being HIPAA compliant and keeping private medical information secure.

The Summary of the HIPAA Privacy Rule by the Office for Civil Rights has a section on Data Safeguards that addresses this issue:

"A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes."

In summary: If you have paper copies of health care records, keep them secure and out of the hands and eyes of those not authorized to access that information.  Any paper with personal information on it must be altered in a way that no information can be read or accessed.  

For those using electronic records, grant appropriate access only to those needing access to the information.  Keep passwords secure and NEVER share them!  Do NOT walk away from a computer while logged into health records or personal information.  

HIPAA on Encryption Use says:

"When implementing controls under HIPAA covered entities must in general "(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information. (c) Standards. A covered entity must comply with the standards as provided in this section"

In summary: If you need to electronically send information via fax or email, reasonable and appropriate safeguards must be in place to protect health information and prevent violation of the HIPAA privacy rule.  A few suggestions are:

Include a "Statement of Confidentiality" at the bottom of the form such as "The contents of this e-mail message and any attachments are confidential and are intended solely for addressee. The information may also be legally privileged. This transmission is sent in trust, for the sole purpose of delivery to the intended recipient. If you have received this transmission in error, any use, reproduction or dissemination of this transmission is strictly prohibited. If you are not the intended recipient, please immediately notify the sender by reply e-mail or phone and delete this message and its attachments, if any."

If sending information via email you may password-protect files so only those with a password can open the information.

Create a policy on sharing login usernames/passwords with other staff.

It is reasonable and appropriate to require staff members to keep their ResiDex login information private to prevent users from having access to resident or staff data that needs to be kept secure. 

We have created various user roles to limit or expand user access from very little (read only/reports only) to full access.  Each individual will have THEIR OWN SPECIFIC ACCESS.

If a facility suspects a security breach between users, they can easily "reset passwords" to quickly resolve the issue.  They can also view reports such as "ResiDex Logins - by day" or "ResiDex Logins - by user" to track specific login information.  

Facilities can also take advanced measures by requiring a minimum password length and/or complex passwords (mixed case + number).