Healthcare Information Security

Patient Privacy News

3 Critical Steps for Managing Third-Party Access to Your EHR

Working with vendors is a necessity for hospitals, but properly managing third-party EHR access is also critical for PHI security.

Third-party EHR access should be carefully monitored.

Source: Thinkstock

By Marti Arvin of CynergisTek

- Before a hospital grants any kind of network access to users from an outside organization, like a physician’s practice, it must determine to whom access is granted and for how long. It is a complex and essential process.

This article will outline three critical steps hospital executives should take in order to effectively manage third-party access and mitigate risk of breach at their organization.

When individuals with EHR access are workforce members of the hospital, it is often possible to define role-based access and to terminate the user’s access contemporaneous to the termination of the individual from the organization. If the user has privileges, the process can be coordinated to terminate access if the provider loses privileges.

Without a direct connection to the individual user, the challenges for those charged with protecting the hospital’s network significantly increase.

The desire to grant broad access to a hospital’s affiliates is based on the rational that it promotes good patient care and helps reduce healthcare cost.

READ MORE: Utilizing Business Associate Agreements in Breach Prevention

If the provider can see what happened while the patient was in the hospital, then it would help them better understand how to continue care for the patient. It would also allow for more prompt responses to changes when the provider can see the results for themselves rather than waiting for them to be shared.

However, while there are justifications for allowing affiliated organizations access to the entity’s EHR, allowing individuals who are not under the direct control of the granting organization access to the record comes with risks.

Therefore, a strong process needs to be developed to allow, monitor, and terminate this type of access, and the process needs to be diligently followed.

Have an agreement in place before granting access

The organization granting access should consider what type of agreement they might want to have with the other organization. The agreement needs to outline the process for granting access to users of the affiliated entity.

Whether indemnification language is included might be tied to how much risk they believe the relationship has. Another consideration is what obligations the affiliated organization will have to demonstrate, like appropriate training for its workforce.

READ MORE: Assessing Vendor Risk for Stronger Health Data Security

The covered entity granting access might also consider what types of sanctions it would impose if the entity or the individual user engages in activity inconsistent with the policies and procedures of the granting organization, and whether to have individual users sign an agreement before granting access.

A key term of the agreement should include the affiliated organization’s obligations when a user leaves the organization. The granting organization should consider including an obligation for the affiliated organization to inform them within a defined time, such as two business days or four calendar days.

Proactively manage access

An additional safeguard of the underlying agreement could be a process for the affiliated organization to attest that users who have access to the EHR still need access every 90 to 180 days.

The affiliated organization should have a defined response time to confirm which users should still have EHR access. The consequences of not providing the attestation must be clear. If the granting hospital gives the affiliated entity one week to respond and no response is received, will they terminate access for all users of the organization until a response is received? Will they provide an additional grace period and give a warning to the entity? If access is terminated what is the process for reinstating it?

These are all considerations that should be defined and clearly communicated at the beginning of the relationship.

READ MORE: New Business Associate Group Talks Healthcare Data Security

The hospital will also need to have a process for identifying the level of access. The entity to which access is being provided might be an insurance company using the access to perform claims audits, or a physician practice looking to review care provided for shared patients.

If it is the former, the hospital may wish to limit the access to only patients with insurance coverage from the company. If it is the latter, the hospital may only allow access to a patient record if there is an identified relationship to the physician practice. An alternative might be to allow physician practice users to look-up a patient and add the association.

These methods have benefits and risk. Allowing the physician practice users to look-up any patient without an associated relationship would allow users to access records of patients not seen by the physician practice. However, only allowing users to see patients that have a pre-existing association in the covered entity’s record would diminish the benefit to both the users and the granting hospital.

However, limiting the insurance company auditors to only see patients having the company’s insurance on their record would reduce likelihood of a curious user looking up other patients.  This would benefit the hospital because allowing direct access reduces the need to have workforce members print the record or provide some other method for access.

The hospital must also consider role-based access. For example, the front office clerk should not be provided the same access as a provider in the affiliated organization. The granting organization may ask the affiliated organization to provide documentation of the role of the user or they could simply take their word.

Another component of managing this type of access is the ongoing monitoring of the access as part of the granting organization’s larger access monitoring program.

If feasible, the granting organization may wish to distinguish non-workforce member users and create an access monitoring program that addresses some of the unique issues encountered with those users. This would be in addition to the routine access monitoring performed for the organization’s own workforce members.

Commit appropriate resources

This process requires the hospital and the affiliated entity to have a designated point person and back-up. The number and complexity of organizations the granting entity allows to access their EHR will drive the needed resources. Asking the affiliated entity to routinely update the covered entity regarding employees who no longer need access helps reduce inappropriate EHR access.

Working to create secure EHR access

OCR has settled cases with covered entities having issues with third party access to their EHR. If an organization does not have a robust process to manage this complex function, we could see more such settlements.

Managing EHR access to the EHR for workforce member is complex. Managing access for non-workforce members is even more complex.

Covered entities must be ready to dedicate the resources to a strong process and to impose appropriate sanctions on the affiliated entity, as well as individual users associated with that entity when inappropriate system uses are discovered.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks