Building a HIPAA Toolbox: Part 6

Building a HIPAA Toolbox: Part 6

Part 6: Strengthen compliance through user controls.

By Stacy Harper, JD, MHSA, CPC

When we think about security, we usually focus on keeping the “bad people” out. For example, much discussion regarding HIPAA security involves appropriate safeguards to prevent disclosure or access to unauthorized persons. But with the recent Walgreens case, and other breaches triggered by employee snooping, more organizations are evaluating what kinds of safeguards should be in place to manage security inside the authorized workforce. This begins with the development of effective user controls.

Tip: For more information on the Walgreens case, see “Building a HIPAA Toolbox Part 4,” February 2015 Healthcare Business Monthly, pages 58-59, and “Award May Cement Employer’s Role in Breach Suits” under AAPC News on our website.

Within HIPAA security regulations are a set of addressable administrative safeguards related to workforce security. This process begins with establishing authorized access through a workforce clearance procedure and access modification. As with all HIPAA security safeguards, the regulations merely provide a checklist of steps that your organization should take; they do not indicate how to determine appropriate access for an employee. This is where incorporating elements of billing and coding compliance can be used to strengthen the organization’s compliance globally.

Workforce Clearance Procedure

The user control process begins with the selection of the workforce member. Before you can determine appropriate access, your organization must establish whether the person should be eligible to obtain access.

Workforce clearance usually includes basic background checks and reference verification. For certain types of patient care roles, regulators may require additional criminal checks, licensure verification, or other screening. Review the Office of Inspector General’s (OIG) exclusions database ( to see if there is a history of an individual misusing information of federal healthcare program beneficiaries.

The clearance procedure also serves as a fact-finding phase. Use gathered information, such as licensure status, prior education and training, and role within the organization, to customize user access.

Access Authorization

After an employee is cleared to obtain access to the system, the next step is to determine what level of access should be granted. This starts with the functions the employee must perform for the organization. Billing and coding compliance requirements can also be incorporated so the user access complies with HIPAA, but also provides support for the corporate compliance program. For example:

Order Entry: Only physicians and certain non-physician practitioners are permitted to order medications, diagnostic testing, and other services; however, other individuals are frequently involved in transmitting this information. Depending on the type of order, state and federal regulations limit who may be involved in this process.

For instance, to satisfy meaningful use requirements for computerized order entry, the order must be entered into the electronic system by a licensed healthcare professional, consistent with state law. When providing an employee the ability to enter electronic orders, the organization should consider whether the role involves order entry, as well as whether the individual holds the necessary credentials to perform this function.

Visit Documentation: When reviewing evaluation and management (E/M) services, there is a long-standing debate about who is authorized to document the history of present illness. With implementation of electronic health records (EHRs), this question is answered more readily through audit trails in the technology.

Although nurses and medical assistants may need access sufficient enough to enter documentation of vital signs and other information in a visit note, they likely do not need to enter information in other portions of the record.

When the record system is capable of restricting portions of documentation, it can limit the creation of records that must be documented by the billing practitioner to licensed practitioners. This will deter the temptation of delegate these functions to other staff.

Amendment of Records: In its December 2013 report on fraud safeguards in EHR technology, the OIG recommended that individuals performing audit functions be limited to “read-only” access to the record system. Medicare guidelines are clear that, for an electronic record to be valid, it must be authenticated by the performing practitioner and protected against modification. If an individual who did not create the original documentation is able to modify a record, the record is likely to increase scrutiny for compliance, and should be carefully considered.

Your organization can tailor its user access to support its corporate compliance program by considering billing and coding guidelines, or other state and federal regulations applicable to a function performed within your electronic record system. If you restrict user controls to functions that an individual is permitted by law to perform, the risk of inadvertent non-compliance can be reduced.

Access Establishment and Modification

When the scope of user access has been determined, your organization should have a process for providing this access to the employee. Access establishment involves creating a unique user identification in each system where access has been authorized, and providing the approved access to that user ID.

The user control process does not end there. Continually review user controls and make modifications, where necessary. Modifications may be triggered by a change in position of an employee, updates to the electronic record system, or implementation of a new law or guidance. Through monitoring of these activities, your organization can maintain current user controls and improve its compliance with HIPAA and other laws.


Stacy Harper, JD, MHSA, CPC, is healthcare attorney with Lathrop & Gage, LLP. She is a previous member of the AAPC National Advisory Board, and currently serves on the AAPC Legal Advisory Board. Harper works with healthcare providers around the country to navigate regulatory requirements such as HIPAA, data privacy and security, Stark, Anti-kickback, state licensure, and Medicare conditions of payment and participation. She is a member of the Kansas City, Missouri, local chapter.


Renee Dustman

Renee Dustman

Renee Dustman is executive editor at AAPC. She has a Bachelor of Science degree in Journalism and a long history of writing just about anything for just about every kind of publication there is or ever has been. She’s also worked in production management for print media, and continues to dabble in graphic design.
Renee Dustman

Latest posts by Renee Dustman (see all)

About Has 418 Posts

Renee Dustman is executive editor at AAPC. She has a Bachelor of Science degree in Journalism and a long history of writing just about anything for just about every kind of publication there is or ever has been. She’s also worked in production management for print media, and continues to dabble in graphic design.

Leave a Reply

Your email address will not be published. Required fields are marked *