How should we respond when persons outside our organization request access to our EHR data?
Often for the purposes of research, disclosure of a limited data set may be appropriate. Under the HIPAA Breach Notification Rule, disclosure is permitted of a limited data set of PHI that excludes the following direct identifiers of the patient or relatives, employers, or household member of the patient:
- Data of birth
- Postal Address information, except town or city and State
- Telephone numbers
- Fax numbers
- E-mail addresses
- Social Security Numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license plate numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- Internet Protocol (IP) addresses
- Biometric identifiers (including finger and voice prints)
- Full face photographic images and any comparable images
In some cases, the decision may need to be made whether persons external to your organization should have user accounts on your EHR. Under this scenario, you must first consider whether you can accommodate such requests without compromising patient privacy. Under HIPAA, you have an obligation to ensure that all use and disclosure of patient information is either authorized by law or by the patient. Keep in mind that while your staff who access the EHR will be making "use of the data"; outsider access is considered a disclosure. Under HIPAA and many state privacy laws, the use and disclosure requirements are somewhat different.
Once you have determined a request is appropriate, you can provide access using the same methods discussed under remote access. In addition to these technical considerations, you should also address the following policy and procedure issues:
- Responsibility for access credentials. There should be an accountability process to create the remote access VPN log-on credential assigned to the external user.
- Privilege management. It may be necessary to create new roles for external users, especially if external users will have significantly different privileges than internal users. It also facilitates review of access logs, inspection of suspicious activity and general security monitoring. Privileges assigned to external users should comply with minimum necessary conditions, data access authorizations, and accounting of disclosure requirements. It may be necessary to modify the internal user request and authorization procedures to ensure appropriate identification of the external user is properly accomplished. Periodically all external user privileges should be revalidated based on current needs.
- Agreement. A use agreement that binds both the external user and the user's organization is recommended. This agreement should address, at a minimum, appropriate uses of the EHR user account, restrict the user credentials to the assigned user, prohibit the sharing of user accounts, and require notification whenever the user's employment status changes.
- Access auditing. Because you have limited control over external users, it is recommended that there be routine review of access logs to verify user status and compliance to appropriate use policies. Additionally, review the Audit to ensure the current appropriateness of access rights.
- Notice. Require the external user's organization to notify you of any local security incidents, especially associated with compromised workstations that could affect the security of your network and computing resources. This requirement can be incorporated into the use agreement.
Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.