There are two guiding patient-protections in the medical industry: The Hippocratic Oath and HIPAA. The Hippocratic Oath is the basis of all medical integrity and responsibility, while HIPAA is the basis of all patient privacy. The original HIPA bill was signed in 1996, and it has seen many updates since information storage and sharing technology have progressed. In fact, the restrictions and protections of HIPAA compliance are the secret underlying cause of the medical industry seeming behind-the-curve on information management.
It is a serious undertaking for any medical organization to update patient information systems, much less expand that system for remote accessibility. Accessible digital medical records are essential for modern medical care. Medical teams share patient records to provide comprehensive or transitioning care. Patients must have access to their own records, and parents must have access to their children’s records.
But with all this digital access, how can we make certain that breaches don’t result from a small digital error? Many medical organizations struggle to hone file permissions so that only authorized eyes see each individual patient’s records. In other words, the medical community needs a system to automate permissions settings and increase HIPAA compliance.
Digital Records and Account Permissions for HIPPA Compliance
First, let’s talk about how digital record permissions work. There are three aspects of this conversation. First is the file – any single private medical file protected by HIPAA. Then there are user accounts – patients and staff who access the online medical platform. The third asset is the permission container. Think of permissions as concentric fences that ring individual files, folders, and directories. Only accounts with access can cross these permission-fences.
Our challenge is to make sure that only HIPAA authorized people to cross that barrier. On a platform designed to share information, this can be a more complex task than it sounds. Not only do we need include-lists (people who must have access) and exclude lists (people who must never have access), but these requirements also change. The best example is a doctor who is no longer treating a patient. At that point, it will become necessary and natural to remove them from the record access permission list.
Now we will dive into the details of identifying and restricting access to best comply with HIPAA regulations.
Determining Who Should Have Access
Before we can determine permission rules for restricting and allowing HIPAA-compliant record access, we need to know whose access is compliant. The first step in HIPAA-safe automation is to make clear lists of who should and should not have access.
On one side, there are those who must be given access on request and should have access whenever they choose to investigate. These include the patient, health providers, legal guardians, and anyone the patient has given written permission to also access their records.
Accounts that Must Have Access for HIPPA Compliance
- The Patient
- Current Physicians and Health Providers
- Both Legal Parents of a Child
- Designated (in writing) Representative, Guardian, or Caregiver
On the other side are individuals or accounts that should automatically not access a patient’s private health information (PHI). We list these specifically because there has been some confusion on what qualifies as HIPAA-compliant access and to highlight common mistakes in digital PHI management.
Accounts that Must Not Have Access
- General Medical Staff
- Entire Departments
- The Patient’s Whole Contact List
- Past Physicians and Health Providers
- Ex- Representatives, Guardians, and Caregivers
- Parents of Patients Over 18 (without permission)
Automation and Access
The key to HIPAA automation is to help your system identify the correct allowed and disallowed accounts programmatically. For example, your system may easily identify the patient themselves (it’s their file) and the attending physician. It may take more work to automatically identify the patient’s support medical team who should have access and family members with written permission to participate in medical care.
However, once you build a system to identify these parties, each new designation will take care of itself – except for updates that must be made along the way.
Access On File Creationfor HIPPA Compliance
The next step is to control access to PHI records from the the moment of its creation. Every medical record must enter your organization’s database somehow. Some were scanned in from paper records; many today were transferred digitally from another medical organization. Inside a medical facility, millions of new medical records are created every year, ranging from appointment notes to prescriptions to treatment plans.
Who has access to these files the moment they are created? Which accounts are able to enter the file to read and/or edit the private patient data? Chances are that your document platform’s default settings are not HIPAA-compliant, and likely includes the staff account that uploaded the file. So first things first, let’s make sure your files are secure from the moment of creation.
Automating HIPAA Compliance on File Creation
Whitelist New Documents with HIPPA Compliance
Set each new PHI document to a Whitelist status upon creation. To whitelist, access means that – by default – no one has access. Only accounts listed on the whitelist will be allowed to pass through. This allows you to then programmatically permit only accounts that have legal access under HIPAA regulations.
As we talked about previously, your system can identify the patient, their doctor(s), and assigned medical staff by default. Upon request, patients can have their chosen family, spouse, or close friends added to the list of accounts who can access their digital records through the whitelist. All other accounts will be prevented from access by default through the whitelisting method.
Blacklist Known Excluded Accounts
From there, you can take added security steps by blacklisting (no-exceptions banning) accounts that absolutely should not have access. For example, a patient may express that they have estranged parents, and that their parents are not to be allowed access. While they would be denied access by default, a blacklisting on the medical record permissions file will prevent any attempted meddling from fooling a member of your staff into granting access later.
You can also have your system automatically blacklist medical teams that have been removed from a patient’s case – just to ensure there are no legacy mixups that violate HIPAA protections.
Permissions Inheritance for HIPPA Compliance
Let’s say you’ve created a new PHI document that will go into an existing patient file. New permissions do not have to be generated for this file because it can (and should) inherit the permissions from the patient’s overall records settings. This method will help to automatically secure the vast majority of new documents with exactly the settings they need. In situations where an individual file is shown or withheld for HIPAA-compliant reasons, you can also generate individual permission rules for these specific files.
Records Permissions Management for Ongoing Patient Care & Transitions
Next, let’s talk about permissions management for ongoing patients. Permissions are based on circumstance and involvement. Those involved in a patient’s care have access, and those who aren’t involved should -generally- not have access. A patient may be transferred from one doctor to the next. Resident patients may move between wards and care teams. A patient may add or remove names from those they authorize medical record access.
Updating permissions by hand can (and does) result in human error, so the answer is to provide as much automation as possible to these updates.
Automating HIPAA-Compliant Permission Changes
Automatic Records Transfer Procedure for HIPPA Compliance
Your medical facility’s computer system should be tracking which physicians and staff are assigned to each patient. This is good news for permissions automation – especially when you need to track permission changes.
If a doctor is removed from a patient’s case, they should be programmatically removed from their file permissions as well, likewise for adding a new doctor who has been recently assigned. If your patient transfers wards, they will likely have a new care staff, such that the previous staff should have permissions removed, and the new staff have permissions added.
If you send a patient’s records to another provider, add them to the permissions if they have an account on your system. If a patient leaves your organization for another provider, be sure to remove everyone from their records permissions before archiving or destroying their records. This ensures that any lingering record or even meta-data from the files is as secured as automatically possible.
Patient Self-Management Portal for HIPPA Compliance
Next, allow patients to manage their own HIPAA permissions list with an online portal – but do so with modern account security methods. Make sure your portal is secure with strong passwords, encryption, and multi-factor authentication when a patient logs in to alter their HIPAA file permissions.
When a change is made (a name added or removed), send an email and SMS to the patient just like you would for a password change. This provides patients the flexibility to manage their own permissions, the assurance that updates have gone through, and security against family members updating the list without their knowledge.
Security Measures to Defend HIPAA-Compliance Record Permission Settings
Last but not least, take cybersecurity measures to defend your new automated HIPAA permissions. Automation is excellent for compliance because it helps you set up permissions how they should be by default – instead of having to get the initial configuration right manually every time. However, automation can also create blind-spots where we stop checking to make sure everything is as it should be.
Network and Suspicious Activity Monitoring
Work with your IT team to ensure that no one can change your automation settings without raising alarms and sending alerts to admins. Set up network monitoring for any sort of unusual or unauthorized attempts at access – to specific files or the document platform itself. Establish specific suspicious activity triggers and have a response plan ready to initiate when the hacker-trap springs.
In addition, be prepared for less criminal methods of attempted meddling, as we mentioned in the patient portal section.
Schedule Permission Audits for HIPPA Compliance
Finally, be sure to put a human eye on the system regularly. Every few weeks or months, or for all new records, have a HIPAA specialist look over patient file permissions to ensure the automated system (and any manual updates to permissions) are all as they should be. They should be looking for past care providers still on the list, unusually long lists of permitted loved-ones, and other signs that there may be an error or legacy permissions in the system.
Audits will ensure that the combined precision of computers and trained humans that care will keep you in HIPAA compliance and secure the personal information of all your patients equally.
—
If you would like to learn more about automating HIPAA compliance in medical organizations and digital platforms, contact us today. We look forward to discussing your organization’s technical infrastructure and how it can be better secured for greater HIPAA compliance.
