Tip # 12 – Restrict Access To Your Practice Management Software
Today’s leading practice management, electronic health record, and patient scheduling software is cloud-based, accessible from internet web browser. The convenience and reliability of these solutions are unmatched—not to mention they make ongoing IT support and server and backup maintenance things of the past.
However, convenience and ease of access comes with a warning. When access to patient information is just a click away from any internet-connected device, it’s critical to deploy precautions and safeguards to ensure staff members are only accessing information when it is directly related to their work duties.
Top Three Access Safeguards
PracticeSuite customers find it extremely helpful to implement the following safeguards to restrict after-hours access and remote access using context-based security rules.
#1 – Restrict Access by IP Address
Each computer has a unique address, much like a street address, that contains a series of numbers and periods such as 123.4.567.89. Medical practice management system administrators should identify all IP addresses for computers in the office and those that staff might use to access information remotely.
This allows administrators to limit access to their cloud-based medical practice management or electronic health record (EHR) system to only “known” computers, helping prevent unauthorized access attempts.
#2 – Restrict Access by Time of Day
With HIPAA security violations and patient privacy concerns at all-time highs, it is prudent to take steps to restrict access during times of the day when the practice or selected users have no business accessing patient records. As a best practice, our user community tends to restrict access to their systems between 10:00 p.m. and 6:00 a.m. Obviously, there are variables such as on-call responsibilities or after-hours billing shifts that require flexibility, by user, to establish the right settings.
Restricting access during specific times of the day helps medical practice administrators decrease exposure to privacy breaches. For one thing, it reduces those late-night temptations to research a neighbor’s condition or friend’s health status by employees.
#3 – Restrict Access by Days of the Week
Unless a medical practice operates a 24×7 clinic schedule, there are days of the week the facility is closed. Just as you would lock the front door, turning off employee access to PHI and patient records is a wise decision. PracticeSuite customers have the flexibility to select specific days to allow access. Since this access is by user, administrators or staff who routinely work on patient accounts during times when the office is closed can be granted routine access while all other staff are restricted.
Restricting access on days when the office is closed (and even certain times of day if applicable) helps reduce potential exposure of sensitive patient information. It is also smart standard operating procedure to document this practice in HIPAA security documents maintained by the medical practice’s HIPAA compliance officer.
Not yet a PracticeSuite Customer?
If the capabilities described above are not options in the system you currently use, please contact the PracticeSuite team to learn more about how to better mitigate HIPAA security and privacy risk by transitioning to PracticeSuite’s medical billing and practice management platform.
Last Updated on September 4, 2017