Risk: Lack of unique user identification for every workforce member prior to obtaining access to ePHI.
Explanation: A user identifier is typically a name or a number or a combination of numbers and characters put together to form a string of characters that uniquely identify a user. This unique user identifier allows the information system to track the activities that a user makes in the information system. This is done so that every user of the system can be held accountable for his/her functions performed on the information systems that have ePHI in it.
Major Mitigation: Physician practices must determine a user identification strategy that best fits with the organization’s policies and processes. Some organizations use employee codes, variations of names or even identifiers that have been randomly generated by using a combination of characters and numbers. The advantage of using randomly generated identifiers is that it is difficult for an unauthorized user to guess it. On the flip side, it may be difficult for the actual user to remember it. Physician practices must consider all these factors while determining a user identifier. Whatever be the format, the important thing is that only the user of the identifier need to remember the identifier.
Secondary Mitigation: User activity in information systems containing PHI must be tracked and monitored on a regular basis to watch for unauthorized access.
Success Criteria: Periodic audits need to be performed that prove that:
- Unauthorized access to ePHI has not taken place.
- Regular monitoring of user activity has been carried out religiously.