HIPAA and Staff Terminations — Managing Access to Prevent Breaches
01:00 PM ET | 10:00 AM PT | 12:00 PM CT Duration 90 Minutes
Webinar Includes : All the training handouts , certificate ,Q/A and 90 mins Live Webinar
"Presented By Top HIPAA Expert Jim Sheldon-Dean (Founder and director of compliance services at Lewis Creek Systems, LLC)"
Today, staff in medical offices have access to a number of systems that may be used for the access and management of Protected Health Information. There may be a patient management system that may or may not be integrated with an EHR, an e-mail system, access to file systems, access to government sites and health insurer sites, and access to other agencies’ and facilities’ systems. When a staff member starts, access may be set up for a few, obvious systems, such as e-mail, files, and the EHR, but access can grow over time and access to outside Web sites provided by others is necessary in many disciplines. After a while, a staff member may have access to far more than the e-mail, some files, and the EHR.
What happens when that staff member leaves the organization? Today there are usually processes for turning off access within the organization for departing staff, but often the access to outside sites is forgotten about, and may be left open. Depending on the system, staff may be able to access Protected Health Information even after they no longer work in your office, leading to privacy and security issues and breaches.
Terminating staff access is no longer a simple process; it requires a coordinated effort between managers, staff, and HR to ensure that all access that should be terminated is, indeed, properly terminated. Mishandling staff access can lead to privacy violations, enforcement investigations, and financial penalties. The time to get your access control procedures under control is now.
HIPAA regulations require that organizations have strict controls on access to electronic Protected Health Information to ensure that only authorized persons have access, and to ensure that access is terminated when no longer needed. The HIPAA Security Rule has Physical, Technical, and Administrative safeguard requirements that call for having the technology and processes in place to properly establish access and maintain it.
HR processes usually initiate and document the initial provision of access to systems within the office, such as networks, e-mail, servers, and the EHR. These systems are also the easiest to terminate access to, since they are controlled by the organization, and in general, a reverse process can be used for disabling access for termination.
At the conclusion of the session, participants will be able to:
1. Understand the rules surrounding access controls and their management under HIPAA.
2. Know what are ways that access management controls can be improved to ensure access for terminated staff is properly terminated.
3. Learn how staff, managers, HR, and IT can work together to improve access controls and the privacy of patient information.
4. Know how to establish an improved access control process that can help prevent privacy and security issues.
Why you should attend
Other entities may maintain other systems, such as state Web sites for Medicaid, or insurer Web sites, that your staff needs to access. Often, access for these sites is arranged by the manager or program director of the staff person, but there may not be a good process for making sure this access is turned off upon a termination of employment. Depending on the system, access might still be possible from another workstation if the ID and password for the terminated staff are not blocked.
These external services, and other internal services that may not be managed centrally within your organization, are at risk for access being left open if a plan is not developed for managing that access.
The enabling of access must be tracked in a database (or similar tool) so that it is possible to always know who has access to which sites, and which sites need to be contacted to terminate access upon a staff termination. The use of this tool must be integrated into the actions of managers and HR alike so that they can work together to make sure unnecessary access is disabled, and privacy and security violations are avoided.
Overall, access management and HR processes need to move into the 21st Century, so that access management methods are relevant and effective as security tools in the modern age of communication.
• Learn about the HIPAA requirements for access controls and management.
• Learn about the HIPAA requirements for properly managing termination of access and conducting regular reviews to ensure access is terminated.
• Find out how the usual internal HR and IT processes may (or may not) work well for some systems, but some systems may be beyond their knowledge or control.
• Learn how access can be utilized following a staff termination to damage or illegally access records.
• Find out about processes that can be instituted to track and manage accesses that are not directly controlled by IT.
• Learn about the HIPAA enforcement penalties that can apply in the event of a breach of Protected Health Information.
Who will Benefit
Attendees should include Compliance Officers, Privacy and Security Officers, and leadership and staff in health information management, information security, and patient relations, as well as staff in patient intake and front-line patient relations and any others that are involved in, interested in, or responsible for, patient communications, information management, and privacy and security of Protected Health Information under HIPAA, including:
• Compliance director
• Privacy Officer
• Security Officer
• Information Systems Manager
• HIPAA Officer
• Chief Information Officer
Industries who can attend
This 90-minute online course is intended for professionals in the Healthcare Industry.