Managing Staff Access to Health Information under HIPAA — Issues in Enabling and Disabling Access, and Working Remotely

Event Information
Product Format
Prerecorded Event
60 minutes
Product Description

Comply with the HIPAA Privacy Rule when Providing Access to Systems Holding PHI

Employees in healthcare organizations need to be able to access certain networks and systems to be able to do their work these days. However, it takes far more than a call to the IT department to properly set up access to systems for staff, and even more when employees depart the organization. Some systems may be under direct control of your IT department, but many systems these days are merely accessed by staff and maintained by other entities that may not even be known to the organization. And working outside the office brings a whole host of issues that go along with remote access of your systems, and those of outside entities.

Not managing staff access properly can lead to significant privacy and breach issues. If inappropriate access is provided, staff can learn more then they need to in order to provide the services they provide. If enough access is not provided, staff may not be able to get their job done. When employees leave an organization all of their access must be terminated, even for systems you may not directly control– not doing so can lead to serious breaches of confidential information. In addition, it is necessary to reach out to those who are leaving the organization to ensure that they do not retain any PHI to which they are not entitled. Not managing staff access properly can lead to penalties and fines in the millions of dollars. Establishing good access management processes can help you avoid those issues.

Join this session, where healthcare compliance and HIPAA expert Jim Sheldon-Dean will discuss the management of staff access to systems, how it is best enabled and disabled, and how it can be provided securely when staff members work remotely.

You will learn how to manage the processes involved with establishing, monitoring, and terminating staff access to systems holding PHI. New access requires a plan for the necessary access, including locally installed systems and networks as well as those provided by other entities, establishing the appropriate control settings for each staff member, reviewing the access settings and access used, and terminating all the various access points upon a staff departure. This session will discuss the issues of remote access, including determining who should have remote access, and how it should be provided and managed.  Reviews to ensure the proper controls are in place are essential to compliance.

You will be able to review the access management policies and procedures to see whether you adequately control access enablement, review, and termination. You will be able to understand where to find out about the wide range of external accesses that may be used, and who may be managing that access, or not. You will be able to develop a plan for how to rein in uncontrolled external accesses so that they can be managed and properly terminated upon staff departures. You will also be equipped to review remote access and consider how it might be better controlled to limit access to the minimum necessary and protect any PHI.

Session Highlights

In this session, you will learn:

  • How the HIPAA Privacy Rule and “Minimum Necessary” must be considered in providing access to systems
  • How the HIPAA Security Rule provides physical, technical, and administrative safeguards to protect Protected Health Information (PHI)
  • How processes must be defined for enabling and documenting access
  • How processes must be defined for reviewing and modifying access as necessary to preserve confidentiality
  • How external websites used by staff must be catalogued and access must be known and managed
  • When staff leave the organization, all the accesses must be located and terminated
  • How to ensure that terminated staff do not retain or use any PHI following departure
  • Special considerations in remote access establishment and controls

Session Agenda

  • HIPAA Privacy & Security Rules
  • HIPAA Breach Notification Rule
  • Evaluating risks
  • Relevant HIPAA safeguards
  • HIPAA requirements for access controls and management
  • Processes that can be instituted to track and manage accesses that are not directly controlled by IT
  • How access can be utilized following a staff termination to damage or illegally access records
  • HIPAA requirements for properly managing termination of access and conducting regular reviews to ensure termination
  • The usual internal HR and IT processes may (or may not) work well for some systems, but some systems may be beyond their knowledge or control
  • HIPAA enforcement penalties that can apply in the event of a breach of Protected Health Information

Who Should Attend

Compliance officers, privacy and security officers, and leadership and staff in health information management, information security, and patient relations, as well as staff in patient intake and front-line patient relations and any others that are involved in, interested in, or responsible for, patient communications, information management, and privacy and security of Protected Health Information under HIPAA, including:

  • Compliance directors
  • CEOs
  • CFOs
  • Privacy officers
  • Security officers
  • Information systems managers
  • HIPAA officers
  • Chief information officers
  • Health information managers
  • Healthcare counsel/lawyers
  • Office managers
  • Contracts managers

Ask a question at the Q&A session following the live event and get advice unique to your situation, directly from our expert speaker.

Order Below or Call 1-844-384-4744 Today

We Also Recommend
Order Form

(Select the format below)

Choose Quantity:

(*) Single User Price

You can also order through:




About Our Speaker

Jim Sheldon Dean - HIPAA Compliance & Regulations Expert

Jim Sheldon-Dean is a healthcare compliance and HIPAA expert in the areas of privacy and security regulatory compliance and business process analysis. He is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of healthcare entities. Jim is a frequent speaker regarding HIPAA...   More Info
More Events By The Speaker

Why ProfEdOnDemand?
  • Save money on travel.
  • Meet your specific training needs.
  • Keep learning after the event.
  • Save time training your whole staff.
Join Our Mailing List