(As published in the March/April 2018 issue of MediNews)
Just like every other business on the planet, Medical Practices and other organizations controlling personal health records (PHI) have to deal with personnel changes on a regular basis. New people come in and, for whatever reason, others move on. Many organizations undergo significant shifts. Perhaps the practice expands or contracts. These are all normal things that any manager would anticipate.
However, in the case of medical practices, these events can either strengthen data security, or make the investment you made in security technology and risk management worthless.
Technology can only do so much. An authorized user going into an EMR and accessing data is going to be seen by any monitoring tool as business as usual. However, if that “authorized user” is someone who was terminated, and their account still has significant access rights, then everything they do within your system is a HIPAA violation and data breach.
This is why it is important to recognize that there must be strong management and control of onboarding and off-boarding of staff. In this article, I will touch on a few important points on both ends.