Shared Usernames: HIPAA Security No-No

Many times in our work with medical facilities and ASCs, we see usernames shared among multiple people. Sometimes this is for (perceived) convenience, sometimes it is because more than one person shares a workstation or terminal and sometimes it is to get around software vendors’ licensing terms to avoid paying extra costs for extra licenses.

Regardless of the reason, this is a serious HIPAA Security Rule violation. It may also violate the terms of use policy of your software vendor(s), leading to significant fines and penalties. It is also against industry best practices.

The HIPAA Security Rule requires an audit trail for all users, so that it can be determined later, if necessary, who logged in and accessed and/or changed EPHI (electronic protected health information). If more than one person can share a login, it cannot be determined later who may have accessed EPHI.

Even without the HIPAA Security Rule, it is not a good idea to share usernames anyway. It defeats the most basic security policies that represent industry best practices, it makes it difficult to troubleshoot many IT problems and it can jeopardize your human resource operations if you forget to change usernames if/when an employee leaves the company.

Sometimes in a surgery center, several part-time people may share a position or function. So there is a tendency to share a login among two or more people who do the same job to avoid paying more licensing fees. You should check with your software provider to see if they will provide device or site licensing, or licensing based on FTEs, so you can have a unique login name for each user without having to pay “full freight” for part-time employees.

If you are using this method to skirt software licensing fees, watch out. This is considered a serious form of software piracy. There is an organization called the BSA (Business Software Alliance) consisting of such industry heavyweights as Microsoft, Adobe, Apple, Cisco, Dell, HP, IBM, Symantec and many others. This organization advertises heavily to encourage people to turn in companies that are trying to avoid paying licensing fees. The fines can be substantial, running to $250,000 and more, plus jail time, for a single instance of non-compliance. And to add to the risk, the BSA offers rewards of up to a million dollars for people to report software piracy.

What should you do? If you are tempted to share login names: don’t. If you are currently doing it, stop. Get yourself in compliance with the HIPAA Security Rule, and avoid a visit by the BSA, by having each employee — whether part-time or full-time — use a unique user login name.

Marion K. Jenkins, PhD, is founder and CEO of QSE Technologies, which provides IT consulting services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.

If you enjoyed this post, make sure you subscribe to my RSS feed!