HIPAA Security Tips for User Accounts


Protecting ePHI

HIPAA privacy rules have been a topic of discussion with nearly all of our clients in the past few months. Sending, receiving, sharing and storing health information electronically has to follow an ever growing set of rules.  In addition, medical practices that are attesting to Meaningful Use are subject to audits that include HIPAA compliance.

We are constantly working on improving the security of our clients’ computer systems and network to ensure general systems health as well as HIPAA compliance.   Since we’ve had several requests for steps that medical practices can perform on their own, we will try to break down the risk areas into manageable pieces and document them in a series of articles that we will keep adding to this site.

Securing Access to Every Computer

We will begin our series of articles by discussing the entry point into the computer, the User Accounts.  The combination of username and password is the gateway into the computer systems, and it is also the mechanism to verify the identity of the user.  This translates into specific requirements that must be followed to comply with HIPAA Security Rules.

1. Login accounts:  HIPAA requires that work performed in a system that handles ePHI can be traced to a single user.

  • Each user needs their own account, which cannot be shared with other staff in the office
  • Each account should be assigned privileges for access to systems and data that matches the need for access for that role

2. Passwords: For the login session to be secure, passwords must be complex to reduce the probability of being hacked.

  • Password should be at least 8 characters long, with numbers, letters, and special characters
  • Passwords complexity, not posting them on sticky, cannot be shared, expiration

3. PC Lockout or Logging Off after a period of inactivity: Computers must not be left unattended while available for access by other users.

  • Set computers to automatically lock after a specific period of inactivity, when the computer screen can go to a screen saver that requires a password to log back in
  • Staff members should log off the computer when they are going to be away for a period of time longer than 15 minutes

These simple tips can help all medical practices address security issues and begin implementing on their own some of the changes necessary to reduce ePHI security risks. Most of these changes can be implemented easily, on your own, with help from basic tools and utilities, or with some minimal support from your technology consultant.

As always, please contact us with any questions.

Carmen Proctor

Carmen Proctor

Client Services at E2E IT, LLC
E2E IT provides comprehensive technology consulting and infrastructure implementations to small and medium-sized medical practices in the Denver Metro Area.
Carmen Proctor

Latest posts by Carmen Proctor (see all)