Article

EMR "Impersonator" Identity Ok?

August 7, 2018
Question:

Hi Jennifer, 

A question from one of my staff members was brought up and I did not have the appropriate response. I was hoping you can assist me. Our medical software allows administrators to "impersonate" a user. The employee feels this is a breach of HIPAA but I do not think it is. This feature is built into our software. I have left a message for our software vendor to determine if there is a security measure in place to track who has impersonated another user and what was done during that session. Please advise if this is a HIPAA violation or not.

Thank you, V

  
Answer:

V - this question is very dangerous.  The framing of a "breach of HIPAA" is dangerous - because the question itself brings with it an inference of exposure.  As I understand the question - the EMR allows operation by an unidentified user.  If that is correct, I would not say that use of the EMR or use of that function ipso facto is a "breach of HIPAA", however, utilizing an EMR without a unique identifier is certainly not the proscribed best practice under the Security Rule that is a part of HIPAA.  Under the Security Rule covered entities are expected to implement physical, administrative and technical safeguards, an example of such are unique identifiers for all doctors and staff.  Allowing an unidentified user to cruise the EMR would lend to untrackable or potentially unauthorized patient access, and I would characterize as less HIPAA secure than requiring each doctor and staff member to utilize a unique identifier.  The verbiage here is very important; classifying as a "breach" is dangerous.   Working to change employee vernacular is part of the training culture.  Staff should not be determining whether a "breach" has occurred - instead it would be great for a staff member to bring to your attention a concern over HIPAA compliance... 

A great resource to assess your practice's HIPAA compliance is the Security Risk Assessment Tool operated by HealthIT and OCR available here - https://www.healthit.gov/topic/privacy-security/security-risk-assessment-tool.    Questions or concerns on HIPAA, contact me directly at Jennifer@Kirschenbaumesq.com


Looking for the KK Healthcare Exchange?  Click Here. 

MISSED OUR RECENT WEBINARS?  CLICK HERE ANYTIME!
Looking for HIPAA and compliance forms?  
Click here to visit our website.
Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or  at (516) 747-6700 x. 302.
Interested in having Jennifer speak at an event or
at a residency/fellowship program?
Contact Jennifer directly at (516) 747-6700 x. 302 or at Jennifer@Kirschenbaumesq.com
Click here to learn about
K&K's Prepaid Legal Audit/Investigation Defense Now!
EMR "Impersonator" Identity Ok? - August 7, 2018 - Jennifer Kirschenbaum

Article

EMR "Impersonator" Identity Ok?

August 7, 2018
Question:

Hi Jennifer, 

A question from one of my staff members was brought up and I did not have the appropriate response. I was hoping you can assist me. Our medical software allows administrators to "impersonate" a user. The employee feels this is a breach of HIPAA but I do not think it is. This feature is built into our software. I have left a message for our software vendor to determine if there is a security measure in place to track who has impersonated another user and what was done during that session. Please advise if this is a HIPAA violation or not.

Thank you, V

  
Answer:

V - this question is very dangerous.  The framing of a "breach of HIPAA" is dangerous - because the question itself brings with it an inference of exposure.  As I understand the question - the EMR allows operation by an unidentified user.  If that is correct, I would not say that use of the EMR or use of that function ipso facto is a "breach of HIPAA", however, utilizing an EMR without a unique identifier is certainly not the proscribed best practice under the Security Rule that is a part of HIPAA.  Under the Security Rule covered entities are expected to implement physical, administrative and technical safeguards, an example of such are unique identifiers for all doctors and staff.  Allowing an unidentified user to cruise the EMR would lend to untrackable or potentially unauthorized patient access, and I would characterize as less HIPAA secure than requiring each doctor and staff member to utilize a unique identifier.  The verbiage here is very important; classifying as a "breach" is dangerous.   Working to change employee vernacular is part of the training culture.  Staff should not be determining whether a "breach" has occurred - instead it would be great for a staff member to bring to your attention a concern over HIPAA compliance... 

A great resource to assess your practice's HIPAA compliance is the Security Risk Assessment Tool operated by HealthIT and OCR available here - https://www.healthit.gov/topic/privacy-security/security-risk-assessment-tool.    Questions or concerns on HIPAA, contact me directly at Jennifer@Kirschenbaumesq.com


Looking for the KK Healthcare Exchange?  Click Here. 

MISSED OUR RECENT WEBINARS?  CLICK HERE ANYTIME!
Looking for HIPAA and compliance forms?  
Click here to visit our website.
Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or  at (516) 747-6700 x. 302.
Interested in having Jennifer speak at an event or
at a residency/fellowship program?
Contact Jennifer directly at (516) 747-6700 x. 302 or at Jennifer@Kirschenbaumesq.com
Click here to learn about
K&K's Prepaid Legal Audit/Investigation Defense Now!