Email accounts contain information necessary for an organization's operation. Unmonitored access to these accounts, especially in healthcare, can result in an increase in unauthorized access and difficulties in reviewing sources of insider threats.
The use of policies centered around the predefined sets of permissions related to job functions allows for the limitation of access to protected health information (PHI). The practice of role based access controls closely aligns with the Access Control requirements set by the HIPAA Security Rule.
A study published in the IEEE Transactions on Information Technology in Biomedicine states, “Separation of duty distributes responsibility to carry out a task among several users, such that a single person cannot be powerful enough to do it completely without collusion.” It is in the segmentation of roles, that it becomes easier to track unauthorized access to specific data sets.
Healthcare organizations are responsible for a host of valuable PHI which could be exploited if in the wrong hands. The restriction of business email accounts based on role based access principles reduces the risk of unauthorized access.
The limited access also helps minimize the chances of an insider threat. As staff only receive access to accounts based on their job function, any access not within the scope of this function or through permitted devices can be easily flagged by the organization.
HIPAA compliant email platforms like Paubox, capable of maintaining audit logs make flagging irregular activity that much easier. With a traceable log, organizations can provide evidence to authorities like the HHS in case of a breach or simply monitor irregular staff behavior on their account.
Doctors, nurses, and therapists are examples of clinical staff who often need access to the organization's email account to coordinate care effectively. This access allows for the easy distribution of patient records.
Email is a central tool in the duties of administrative staff like receptionists and office managers. Tasks like scheduling, confirmation of patient details, and relaying information between staff become manageable without the chance of exposing PHI.
IT staff need access to email accounts in order to monitor, maintain, and troubleshoot these potential threats sent through email. There should still be measures in place to make sure this access is controlled and monitored to prevent abuse.
The Health Insurance Portability and Accountability Act is a U.S. law that protects the privacy and security of a person's medical information.
The Security Rule is a part of HIPAA that sets the standard for the protection of ePHI through specific safeguards.
It occurs when PHI is disclosed to healthcare providers for treatment purposes or information is used within the scope of patient authorization.