HIPAA Regulatory Alert

Sharing user names is a HIPAA security violation

What's a shared user name between friends? Quite a bit, when it comes to the HIPAA security rule, warns Marion Jenkins, PhD, co-founder of QSE Technologies Inc., an Englewood, CO-based technology consulting firm. Unfortunately, he adds, many organizations have individuals who share user names — some because they are unaware of the seriousness of the violation, and others because they have less honorable intentions.

"Generally, the initiative comes from the health care workers — although sometimes it is initiated by management," says Jenkins. "It could simply be out of convenience; people become frustrated with all the different passwords they have to use so they either decide to use common ones, write them down, or share them."

Let's say there are part-time employees who only come in once a month and are replaced from time to time. "What often happens is that you give everyone access because it's a pain to change user names on and off," Jenkins explains. "So during implementation you may make everybody a super-user. But that's a total violation of HIPAA."

Health care organizations that allow shared user names to avoid additional licensing costs are opening themselves up to a "double-whammy" of HIPAA violation penalties and hefty fines for violating licensing agreements. "You may have a software package that charges $1,000 for a login, and that software may be used by a number of part-time people," Jenkins posits. "Many vendors will give you device licenses vs. user licenses, which allow you to have one person on at a time per machine, and that's the way you should do it. Some vendors, however, do not do this, so management seeks to circumvent licensing fees [by sharing user names]."

Microsoft Office, he notes, retails for about $300-$400. "If you are found violating that software agreement, you can be fined $3,000 per instance; so if you have 20 workstations and can't produce 20 licenses, you're looking at a $60,000 fine [in addition to HIPAA violation penalties]," warns Jenkins.

Defeating intent of security rule

The key issue, Jenkins continues, is that such a practice completely defeats the intent of the HIPAA security rule. "HIPAA security requires that with anyone who accesses or changes or looks at [protected health information] you have to be able to tell who did it and when," he explains. "If you have a user logged in at a nurse's station on a given day, and you do not know who it was among the eight rotating nurses, it's a violation. It says very explicitly in the security rule that with anyone who can access, view, edit, or change an entry you have to be able to tell who did it and when. There has to be an audit trail."

In addition, says Jenkins, "it defeats the most basic security policies that represent industry best practices. It makes it difficult to troubleshoot many IT problems, and it can jeopardize your human resource operations if you forget to change user names if and when an employee leaves the company."

So, what should your policy be with regard to allowing employees to share user names? "If you are tempted to share login names, don't," Jenkins warns. "If you are currently doing it, stop. Get yourself in compliance with the HIPAA security rule by having each employee — whether part-time or full-time — use a unique user login name."

Part of the problem, Jenkins suggests, stems from the fact that there are two distinct HIPAA rules — one governing privacy, the other governing security. "HIPAA security is completely different, and many facilities do not understand it," he asserts. "So many of them had been so 'beaten up' by the privacy rule that when the security rule came along, they went to sleep."

Your organization is required to have a completely separate set of procedures around HIPAA security in addition to those around privacy, Jenkins continues. "For example, you need to have a HIPAA security officer; it may be the same person as your privacy officer, but it has to be formalized. You have to physically secure your computer equipment. You must maintain a log of all security incidents — so, for example, in the case of a hard drive or power supply failure, you must record who entered the room and what they did."

Specifically around user names, he adds, you must have different ones for every individual. "In addition, that user name and password should only allow them to access what they need; so, for example, billing people should not be allowed to see clinical notes," he explains. "Furthermore, there must be different levels of security; for example, some employees will be allowed to view certain information but not to change it." The most important thing of all, he concludes, is to make sure you have delineated a clear distinction between HIPAA privacy and HIPAA security. "Satisfying one does not satisfy the other," he cautions.

[For more information, contact:

  • Marion K. Jenkins, PhD, QSE Technologies, 359 Inverness Drive South, Suite K, Englewood, CO 80112. Phone: (303) 283-8400, ext. 115. Fax: (303) 283-8401. E-mail: Marion.Jenkins@qsetech.com.]