August 7, 2018
Question:

Hi Jennifer, 

A question from one of my staff members was brought up and I did not have the appropriate response. I was hoping you can assist me. Our medical software allows administrators to "impersonate" a user. The employee feels this is a breach of HIPAA but I do not think it is. This feature is built into our software. I have left a message for our software vendor to determine if there is a security measure in place to track who has impersonated another user and what was done during that session. Please advise if this is a HIPAA violation or not.

Thank you, V

  
Answer:

V - this question is very dangerous.  The framing of a "breach of HIPAA" is dangerous - because the question itself brings with it an inference of exposure.  As I understand the question - the EMR allows operation by an unidentified user.  If that is correct, I would not say that use of the EMR or use of that function ipso facto is a "breach of HIPAA", however, utilizing an EMR without a unique identifier is certainly not the proscribed best practice under the Security Rule that is a part of HIPAA.  Under the Security Rule covered entities are expected to implement physical, administrative and technical safeguards, an example of such are unique identifiers for all doctors and staff.  Allowing an unidentified user to cruise the EMR would lend to untrackable or potentially unauthorized patient access, and I would characterize as less HIPAA secure than requiring each doctor and staff member to utilize a unique identifier.  The verbiage here is very important; classifying as a "breach" is dangerous.   Working to change employee vernacular is part of the training culture.  Staff should not be determining whether a "breach" has occurred - instead it would be great for a staff member to bring to your attention a concern over HIPAA compliance... 

A great resource to assess your practice's HIPAA compliance is the Security Risk Assessment Tool operated by HealthIT and OCR available here - https://www.healthit.gov/topic/privacy-security/security-risk-assessment-tool.    Questions or concerns on HIPAA, contact me directly at Jennifer@Kirschenbaumesq.com