Here are sample questions to ask as a quick self-assessment tool about Access Control, whether you are a healthcare provider referred to as a Covered Entity (CE), or a Business Associate (BA).
- Who among your workforce staff and/or Business Associates has authorized access to PHI?
- What is the data access control method applied for authorized and unauthorized persons?
- Who has an Access Granting Authority for your organization’s PHI?
- Who has the Access Granting Administration role/responsibility in your organization?
- What are your Access Rights Requirement(s), if any?
- Do you have a User Account Management policy and procedures in place in order to:
- Setup User Account requirements.
- Identify Access Rights.
- Ensure User identification and authentication.
- Security of Access Control data.
- Modify or terminate Access Rights.
- Maintain Access Control logs for at least six years.
- Do you have an Emergency Access plan and/or procedures to ensure availability of or access to PHI during an emergency?
- Has your organization instituted an automatic logoff or lockout device or system to prevent unauthorized access to PHI?
- What mechanisms (if any) do your devices or systems have in place to encrypt and decrypt PHI to deter access to data by unauthorized persons?
BREACH REPORT: CASES CURRENTLY UNDER INVESTIGATION SINCE JULY 2022
As of August 20, 2022
Below is actual data from the HHS OCR Portal. These are cases currently being investigated by said government agency. This data is posted in compliance with §13402 of the HITECH Act. Protected Health Information (PHI) breaches involving at least 500 individuals must be reported to and published by the HHS OCR Secretary.
|Name of Covered Entity||State||Covered Entity Type||Individuals Affected||Breach Submission Date||Type of Breach||Location of Breached Information|
|Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc.||NC||Business Associate||1362296||08/14/2022||Unauthorized Access/Disclosure||Electronic Medical Record|
|Northwestern Medical Center||VT||Healthcare Provider||584||08/09/2022||Unauthorized Access/Disclosure||Electronic Medical Record|
|Steward Medical Group||FL||Healthcare Provider||2188||07/26/2022||Unauthorized Access/Disclosure||Electronic Medical Record|
|Santa Rosa County District Schools||FL||Health Plan||9424||07/25/2022||Unauthorized Access/Disclosure||Other|
|Phoenixville Hospital||PA||Healthcare Provider||934||07/07/2022||Unauthorized Access/Disclosure||Desktop Computer|
|Cheyenne Regional Medical Center||WY||Healthcare Provider||1652||07/05/2022||Unauthorized Access/Disclosure||Desktop Computer, Electronic Medical Record|