TLDR; Every person needs their own username and password. It violates HIPAA and all basic security standards to share accounts and passwords.
A common request we get is for a shared user account. It makes sense, it can be a hassle creating an account for a temp worker, or a student, or an intern. From a security standpoint, particularly HIPAA, is this an acceptable practice?
Here is a great article entitled HIPAA Regulatory Alert: Sharing user names is a HIPAA security that discusses this very topic. Let’s look at some highlights from this article.
What is Behind the Request for a Shared Account?
For some, it is a matter of convenience.
We have seen a lot of requests simply out of convenience; people become frustrated with all the different passwords they have to use so they either decide to use common ones, write them down, or share them." We have seen that to be the case, it really can be a pain to keep changing usernames and logging in and out. We feel your pain.
For others, it is about licensing costs.
Perhaps you have an application that you rely on, but it charges per login, sometimes this is very costly. So, why not save that and just share a couple of logins? This often comes down from management, looking to reduce the cost per staff member. A perfect example of this is Microsoft Office, why pay $100/yr per person, when you can, according to Microsoft, install your application ‘on up to 5 devices’? BTW, Microsoft calls this Piracy… so don’t do that, please. :-)
Why is this in Violation of the HIPAA Security Rule?
It is all about intent, what is the intention of the Security Rule? Simply, it is to know who did what from where, and when did it happen? We are taking about an audit trail. Note the example given from the article.
“If you have a user logged in at a nurse’s station on a given day, and you do not know who it was among the eight rotating nurses, it’s a violation."
There is more to it than that, however. Sharing accounts basically defeats the most elemental and foundational accepted security practices. Each industry will have a series of best practices for security, HIPAA is only one of many. The fact is, no business in any industry should be sharing accounts. This practice can hurt all areas of your business; from finance, to HR, to operations.
Don’t Confuse HIPAA Security Rule with the HIPAA Privacy Rule.
These are two different rules. While there is a lot of overlap, they have different purposes. The HIPAA Privacy Rule covers ALL protected health information (PHI) in any medium (paper, recordings, video, electronic, etc.). The HIPAA Security Rule, hovever, covers only ELECTRONIC protected health information (e-PHI).
I like this quote from the article above… it seems to sum up how often the Security Rule is overlooked, and why.
“So many of them had been so ‘beaten up’ by the privacy rule that when the security rule came along, they went to sleep."
What Should I Do If We are Sharing Accounts or Passwords?
“If you are currently doing it, stop. Get yourself in compliance with the HIPAA security rule by having each employee whether part-time or full-time use a unique user login name."
First: JUST STOP!
Consult your IT Department or contracted provider. Ask them for help to remedy this situation. Protect yourself by initiating the process now… create an audit trail that you are trying to fix this ASAP.
Second: Set a Date, Follow Through
Set a date for when you will remediate this condition. Then follow through.
In the end, the most important thing of all is to make sure you have a clear distinction between HIPAA privacy and HIPAA security. Satisfying one does not satisfy the other.
For more information on how to protect your practice with HIPAA best practices. Please call or email us for our HIPAA Checklist, and a free consultation.