Paubox blog: HIPAA compliant email made easy

Who should have role based access to HIPAA compliant email accounts?

Written by Kirsten Peremore | November 04, 2024

Email accounts contain information necessary for an organization's operation. Unmonitored access to these accounts, especially in healthcare, can result in an increase in unauthorized access and difficulties in reviewing sources of insider threats.  

 

HIPAA and role-based access controls

The use of policies centered around the predefined sets of permissions related to job functions allows for the limitation of access to protected health information (PHI). The practice of role based access controls closely aligns with the Access Control requirements set by the HIPAA Security Rule. 

A study published in the IEEE Transactions on Information Technology in Biomedicine states,Separation of duty distributes responsibility to carry out a task among several users, such that a single person cannot be powerful enough to do it completely without collusion.It is in the segmentation of roles, that it becomes easier to track unauthorized access to specific data sets. 

 

The reason behind limiting access to email accounts

Healthcare organizations are responsible for a host of valuable PHI which could be exploited if in the wrong hands. The restriction of business email accounts based on role based access principles reduces the risk of unauthorized access. 

The limited access also helps minimize the chances of an insider threat. As staff only receive access to accounts based on their job function, any access not within the scope of this function or through permitted devices can be easily flagged by the organization. 

HIPAA compliant email platforms like Paubox, capable of maintaining audit logs make flagging irregular activity that much easier. With a traceable log, organizations can provide evidence to authorities like the HHS in case of a breach or simply monitor irregular staff behavior on their account. 

 

Who should have consistent role based access to email accounts 

Clinical staff 

Doctors, nurses, and therapists are examples of clinical staff who often need access to the organization's email account to coordinate care effectively. This access allows for the easy distribution of patient records. 

 

Administrative staff

Email is a central tool in the duties of administrative staff like receptionists and office managers. Tasks like scheduling, confirmation of patient details, and relaying information between staff become manageable without the chance of exposing PHI. 

 

IT and security personnel

IT staff need access to email accounts in order to monitor, maintain, and troubleshoot these potential threats sent through email. There should still be measures in place to make sure this access is controlled and monitored to prevent abuse. 

 

FAQs

What is HIPAA? 

The Health Insurance Portability and Accountability Act is a U.S. law that protects the privacy and security of a person's medical information. 

 

What is the Security Rule? 

The Security Rule is a part of HIPAA that sets the standard for the protection of ePHI through specific safeguards. 

 

What is the exception to the Minimum Necessary Rule?

It occurs when PHI is disclosed to healthcare providers for treatment purposes or information is used within the scope of patient authorization.