Role Based Access Control for HIPAA Security

Not every role is created equal in healthcare.

Everyone has his or her own role at an organization. The receptionist checks patients in. The nurse takes blood pressure. The physician diagnosis and determines treatment for the patient. The surgeon operates on the patient. What would happen if the receptionist just decided to switch roles with the surgeon for a day? I’d say that’s a one-way ticket to a malpractice lawsuit.

The same idea applies to PHI access across an organization, and it’s called Access Control (§ 164.312(a)(1)).

The Security Rule defines user access as “the ability or means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.” this is where role-based access comes in.

Healthcare providers are responsible to make sure those with access to ePHI require that access to adequately do their jobs. For example, a receptionist doesn’t need access to patient X-ray files to fulfill her daily responsibilities.

It's important to recognize that the minimum amount of information needed for a person's job role will determine their user privileges.

Role-based access control

One of the best ways of correctly setting up user privileges is by role-based access. First, define roles that correspond to your organization’s structure. Hospitals will likely have 20+ different roles. Physician offices will probably have less than 10.

Each role is then assigned the minimum amount of access required for an employee to perform his or her job. This access determines their level of network access.‍

See also: HIPAA Compliant Passwords‍

User access isn’t limited to your normal office staff. It applies to anyone who needs access to your systems or the area ‘behind the desk’. I’m talking about that IT guy you hired on the side to update your EMR software. What kind of user permissions does he have? What should he have?

Sample roles that should have different permissions:

• Receptionist
• Provider
• Med student
• Staff nurse
• Nursing manager
• Third party IT
• Physician assistant
• Night security
• Specialist
• Radiologist
• Administrator
• Dentist
• Volunteer

How to implement role based access controls

• Electronic systems: Usernames are a great way to segment users by role. It also gives you a way to track specific user activity. The first question you need to ask yourself is, does each staff member have a unique user ID? If not, that’s a great place to start…not to mention it’s a HIPAA requirement.
• Physical: Make sure anyone not on your regular staff is escorted around the office by a staff member. For patients, don’t leave them unattended with logged-in equipment. For everyone else, document their name, reason for being at your organization, what company they’re from, and what they look like. If you haven’t worked with this person before, call the company and verify their name and physical description.

See also: SecurityMetrics HIPAA Guide

Why all the restrictions?

I’m sure you can see how role-based access to PHI is important for HIPAA compliance, but access controls aren’t necessarily all about HIPAA. It’s important that only those with administrative privileges can download software onto a machine, or access certain programs. By restricting access to program and application management, it lowers the chance of malware entering the system.