MARCH 15, 2011 / Issue 10
Featured Article
Managing EMRs beyond regulations

 By Kurt Johnson
While HITECH and HIPAA have been instrumental in promoting the adoption of EMRs, they have also enforced strong security and privacy policies around the protection of sensitive patient data. Following these five guidelines will help your organization implement a complete access assurance strategy.

Protecting confidential patient data has never been an easy task for healthcare organizations. Staff turnover can be frequent, employees’ roles are constantly changing and there is often a high level of contract work being performed – all factors that make it challenging for IT professionals to appropriately manage user access to patient records and other sensitive company data. In addition, the rapid adoption of electronic medical records (EMRs) industry-wide has added even more complexity to the IT puzzle, as patient data becomes more accessible over many different devices. While protecting patient privacy has always been of critical importance, there is now an additional layer of focus – compliance.

Healthcare organizations face a number of industry regulations, but perhaps the most notable are the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA). While HITECH and HIPAA have been instrumental in the promotion of adoption of EMRs by outlining steps to adopt and use electronic patient records for healthcare organizations, they have also enforced strong security and privacy policies around the protection of sensitive patient data. Healthcare organizations that fail to demonstrate compliance with these regulations are not only at risk from data breaches, but they are also susceptible to penalties such as fines, withdrawal of government funding, criminal charges or even incarceration.

But while it’s in the best interest of healthcare organizations that are implementing and utilizing EMR systems to comply with HITECH and HIPAA, simply demonstrating compliance does not mean they are secure. Put another way, being compliant does not ensure patient privacy. Beyond these industry regulations, it is incumbent upon healthcare organizations to implement effective risk management and security best practices in order to control access to confidential patient information and other corporate data as a means of good customer service. Patients want to be assured that their personal information will not be privy to unauthorized users and that their hospital’s or doctors’ offices are taking all of the precautions necessary to prevent a data breach.

Implementing an effective access assurance strategy
The first step toward preventing data breaches and demonstrating compliance with industry regulations such as HITECH and HIPAA is assessing the security risks that exist within your organization. Where does sensitive information lie within EMR systems or on the corporate network? Who has access to this information? Is this access appropriate? How and why was this access granted? What are you doing to ensure policy is followed on an ongoing basis?

Once you have a clear understanding of the security risks that threaten your organization, you must define, assess, verify and enforce proper user access policies in order to minimize high-risk areas, protect sensitive patient data from unauthorized user access and prevent the misuse of patient records by authorized users. Here are five tips to help you effectively manage user access to EMR systems and other corporate networks:

  1. Define user access policies in accordance with corporate and industry regulations to avoid compliance violations while allowing caregivers to have the information they need to ensure patient safety and proper care.
  2. Create and manage roles so physicians, nurses and other members of the medical staff have the necessary level of access required for them to perform their jobs successfully, but only the access necessary. Granting employees access to information that is not essential to their job functions puts confidential patient and corporate data at an increased risk of being exposed – whether intentionally or unintentionally.
  3. Review user access policies on an ongoing basis to determine who has access to what sensitive data; verify that this access is appropriate and in compliance with both corporate and industry regulations; and remediate access when it is not.
  4. Ensure access is shut off as soon as an employee is terminated or transferred to a different position in order to prevent access creep, “zombie” accounts (active accounts that exist for employees no longer at the organization) and compliance gaps. Leaving time between when an employee leaves the organization or a particular role and when access is shut off gives the employee a chance to access and utilize confidential data in inappropriate ways. This is extremely important in the healthcare industry where staff turnover can be frequent and responsibilities are constantly changing.
  5. Finally, it is imperative that healthcare organizations constantly monitor user activity to prevent the misuse of patient records by authorized users. Are employees accessing EMR systems during off-shift hours? Are they accessing patient records of individuals who are not their patients? Access may be appropriate, but if employees aren’t using their access in the proper ways, confidential patient data is at risk. IT professionals can combine identity and access management (IAM) and security information and event management (SIEM) solutions to identify users who may be engaged in inappropriate behavior that represents increased risk to the security of the organization.

By following these guidelines, healthcare organizations will be able to implement a complete access assurance strategy that allows them to ensure that only the right employees have the right access to the right resources and are doing the right things. Otherwise, they are more susceptible to compliance violations and data breaches – both of which can be detrimental to a company’s bottom line as well as its reputation.

About the author
Kurt Johnson is vice president of strategy and corporate development for Courion Corporation, an identity and access governance provider. For more information on Courion:

Featured Video
CPOE: A physician’s personal story

Successful CPOE adoption is critical for meaningful use. How do you get your physicians on board? View this video to hear from one physician who went from doubter to believer, working with Healthcare Management Systems. Contact HMS directly at 1-800-383-3317 for more information, or visit us at

arrow View the video

Featured Blog
Sustainable health communities: The payer perspective

Football season is over for the year. But for payers, the idea that “as goes the quarterback so goes the team” has never resonated as loudly as it does now in the new world of sustainable health communities (SHCs).
By Joel Hoffman, senior vice president, Ingenix Consulting.


Featured White Paper
Industry Survey Results: Smartphone Trends
arrowAccess report now

Featured Summit
The Leadership Summit on Project Management for Health Care Executives – West

Hear from CIGNA Healthcare, Advocate Health Care, Allina Hospitals and Clinics, Bayfront Health System, Group Health Cooperative, Texas Health Resources and Harvard University, School of Public Health on the steps they took to change their culture, secure buy-in from leadership, create an environment of open communication and how they improved efficiencies within their systems.

Courtesy of Health Management Technology: SAVE $300 on the current early bird rate (expiring this week) when you register by this Friday, March 18th and mention PROMO CODE: JHS246 and PRIORITY CODE: HL11036-82907!
(Discount not valid for gov’t/webcast rate.)

arrowRegister now

Healthcare Reporting Roundup
Obama forced to defend health law constitutionality (The Hill)

Justice Dept. seeks fast ruling for health care law (The Washington Post)

Healthcare's 'unicorn' gets real (

Patients suffer from doctors' poor communication, research finds (Seattle Times)

Latest Industry News
Patients 46 percent less likely to experience patient safety incident at top-rated hospitals, study finds

Boston researchers create 'SMArt' platform architecture, launch $5,000 health app competition

Riverside Community Hospital selects ProVation software

Elsevier/MEDai and dbMotion partner to deliver health analytics solutions

HHS awards early innovator grants to seven states

> > Read All News at


Resource Guide

Career Builder

Editorial Inquiries

Advertising Inquiries

Website and Newsletter inquiries

Subscription Inquiries

Subscribe to Health Management Technology | Contact the Publisher | Advertise With Us | Privacy Statement

Copyright 2011 NP Communications LLC,
2506 Tamiami Trail North, Nokomis, FL 34275