Control access to protected health information

Properly configuring access to protected healthcare information (PHI) is tricky, to say the least. On one hand, we want it to be readily accessible to caregivers wherever we may be, especially in emergency cases. In cases where we are gravely injured and unconscious, it would be ideal if doctors know important medical details about ourselves — such as medicine allergies — before they started treating us.

Additionally, telemedicine patients use all sorts of internet connections and devices. Truly, not having to travel to the hospital or clinic saves time, money, and effort, but the price for these benefits may be data security. If, for instance, someone steals your smartphone while it is unlocked, then the thief might get his hands on your medical files.

We don’t want just anyone to be able to peer into our medical histories. Past and present medical conditions can incite social stigmas and restrictions that make it harder to find and retain jobs, socialize in a community, and obtain economic safety nets such as insurance. Beyond the practical ramifications, privacy as a whole simply allows us as individuals to control what we disclose about ourselves. To be constantly exposed to scrutiny and judgment restricts us from acting on our own accord.

All in all, we don’t want our files on full display on computer screens where random passersby can see. We also don’t want nurses accidentally emailing our health records to the wrong recipients. We don’t want blackmailers threatening to shame us by publicly announcing our physical ailments, and we most definitely don’t want hackers locking life-or-death data away for ransom, either.

To ensure proper access to healthcare information in your organisation, follow these two important steps:

  1. Set up an identity and access management (IAM) program

Look into your current systems, plot where electronic PHI is stored, then draw workflows depicting which roles have access to PHI, where the information goes, and what is done to that information. From there, you can set up your IAM program. Here’s a brief illustration to help you understand what this program is and how it works. Firstly, this lets you configure the following:

  • How users are identified
  • How roles are created in the system and how these are assigned to users

Once you’ve made your configurations, you can use the program to:

  • Add, remove, and update users and their roles in the system
  • Grant certain access levels to users or groups of users
  • Apply protective measures upon the PHI and upon the entire system as well

A thorough audit of your organisation can reveal that there may be roles that have been misconfigured as well as individuals who have more access rights than they should. Furthermore, the program must be able to accommodate changes such as the addition of new services or the adoption of new medical technology.

  1. Be proactive in maintaining and improving the IAM program

The right people must be involved in managing the program. Include HR, department heads, and security, privacy, and compliance officers in maintaining and enhancing it so that no vulnerabilities can form anywhere in your organisation. Furthermore, when you have to implement changes or enhancements across the enterprise, your team can achieve this without disrupting patient care too much.

And as no system is ever perfect, it’s good to continually improve your access management protocols. Execute the following procedures every quarter or more often if needed:

  • Look into how much access admins have to servers and workstations. Often, managers forget to limit the privileges of local admins, thereby granting them inappropriate access to patient data.
  • Be vigilant when it comes to granting access requests. For instance, if a non-admin staff member fills in for an absent administrator, the former’s request for the latter’s access privileges must be vetted thoroughly before being granted.
  • Examine and monitor group accounts — members may have different access rights and may receive information that they are not cleared to see.
  • Review access logs for restricted areas. There may be instances where employees entered such areas during inappropriate times.
  • Ensure that offboarded employees and staff members who are taking long leaves of absences have their access to sensitive data cut off. Managers and admins often forget to do so, needlessly risking the data of their patients.

Your healthcare organisation will only benefit tremendously by implementing better safeguards for PHI. Contact Austin Technology to learn about everything you need to have your very own IAM program.

Scroll to Top