Securing Electronic Protected Health Information (ePHI) Version

Contents

Overview

Features are built into  applications to ensure the privacy of electronic protected health information (ePHI), in compliance with HIPAA requirements. This ePHI security effort is ongoing: as new areas are identified where protection is needed, changes in  products are made.

Key Security Areas

Key areas of the application that protect patient data are...

• User authentication procedures (passwords).
• The authority to view patient data fields on system panels, reports, spreadsheets, and downloaded files is set by a user security flag.
  Patient data is not accessible to users whose setting on the security flag restricts them from working with ePHI records.
• Logs are available to track and display user access and changes to ePHI data.
  For example, logs track users who viewed and downloaded ADT (admission, discharge, transfer) transactions and patient charge imports and exports. Logs contain the names of the files actually used.
• For features that contain patient information, audits display changes in ePHI data. For example, audits of changes on purchase order/requisition lines that contain patient information are available. Except, patient data in any audit is not visible to users who are restricted from working with ePHI records.

User Authentication

Users are required to select strong, more complex passwords for signing in to  products. The password rules are summarized below. When resetting an expired password, users must select new passwords that follow the rules.

Password rules:

1. A password must contain characters from at least three of the following four categories:

• Uppercase alphabetic characters (A–Z)
• Lowercase alphabetic characters (a–z)
• Integers 0 through 9
• Non-alphanumeric characters; for example: !, $, #, %

2. Passwords must contain at least eight characters, and no more than 15.

Figure 1 and Figure 2 show a user in the process of changing her password to "#maserati".

In Figure 1, the user has included only two of the four criteria: the password is long enough, and has a special character "#". Notice that the system provides feedback that the password is weak. This information appears as she is typing.

In Figure 2, the user has capitalized "M." This password is strong, and the system will accept it. The user could also have entered: "#8Maserati," which would be even stronger.

- Examples of good passwords: #BeMeUp?, Oh3$TWO73, 17#51Prym.
- Examples of "not-so-good" passwords: Password1, JanSmith3.

Passwords must be changed periodically. The customer record contains a field that determines how often passwords must be changed. This field is set at implementation following discussion with the customer.

Similarly, a field for password aging is also on the customer record. This field sets the quantity of previous, different passwords remembered by the system for a user. The default is 20 passwords. The maximum number of passwords that can be retained is 999. A password cannot be reused if it is one of the passwords in the system's memory.

Note: If you need a default value higher than 20, contact the Help Desk.

Example 1: Users at this site cannot reuse passwords for five years.

Figure 3 is an example of a customer record for a site. A user at the site who changes her password today must change it again in about a month (30 days), and cannot reuse the same password for five years.

Figure 3 - Customer Record Password Settings for a Site

Setting Individual User Permissions for Patient Data

On a User Profile, the Hide ePHI Data field determines whether a user can access patient data (Figure 4).

Figure 4 - The User Profile Panel: This User Cannot Access Patient-Identifying Data

Note: Previously, this field was called "Hide Medical Data."

When Hide ePHI Data is checked, a detailed series of restrictions apply to the user's access to ePHI records. The list of restrictions and examples is below.
In sum, if Hide ePHI Data is checked, the user cannot access patient-identifying information.

Important:

• By default when you create a new user profile, the Hide ePHI Data field is checked. If you wish the user to have access to ePHI records, you must manually uncheck the field. Also, when you copy a user profile, this field is checked in the copied version. Again, you must manually uncheck it for the user if appropriate.
• For a change in the Hide ePHI Data flag to take effect, the user for the User Profile must log off and then log back on again. Changing the setting alone in will not generate a difference in access to protected information. The user must log off and log in.

Changes to the Hide ePHI Data field are logged and visible from the audit table for each user.

• To display the history of changes to the Hide ePHI Data field: On the Users List, next to a user, click Menu > View Audit Info (Figure 13, red arrow).

Restricted Application Areas

Below is a list of application areas where patient medical data is not available when Hide ePHI Data on a User Profile is is checked. Several examples are provided.

From the Materials Management Imports/Exports & Financials table of contents

These protections are in place:

- ADT Patient list: Columns for patient data on the ADT Patients list do not appear.

- ADT Patient Import > Imports menu > View Import Details: Patient data columns on the ADT Patient Import Details list are not displayed.
(See Example 2.)

- Patient Charge Entry > Patient Charge Line list and Patient Charge Line Edit panel: The patient data fields do not appear.

- Patient Charge Export > Patient Charge Exports list: Menu > View Transactions:
This menu item is not available to users restricted from viewing patient data. View Transactions is grayed out.

- Patient Charge Import > Imports list menu: View Import Details: On the Patient Charge Import Details panel, patient data columns do not appear.

- Patient/Physician/Case: The patient data columns are not displayed.

Documents

- Documents associated with invoices, purchase orders, journal vouchers, and others can be flagged as containing ePHI data.
Users who upload documents can set a flag on a document to indicate that ePHI information is in the document. This flag prevents unauthorized users from displaying the document.

Example 2: ADT Patient Import Details panel does not show patient data when a user's Hide ePHI Data field is checked.

Figure 5 and Figure 5A show the panel for a non-restricted and restricted user, respectively.

To display this panel: From the Materials Management main Contents select: Imports/Exports & Financials > ADT Patient Import > Menu > View Import Details.

Figure 5 - ADT Patient Import Details: Hide ePHI Data Is Unchecked on the User Profile - User Can View ePHI

Figure 5A - ADT Patient Import Details : Hide ePHI Data Is Checked on the User Profile- User Cannot View ePHI

The prompt that completes any ADT Patient field is not available for users with Hide ePHI Data checked. (See Example 3.)

Example 3: Prompts for entering Patient ID and Admission Date on the Patient Charge Entry panel do not appear for users with the Hide ePHI Data field checked.

Figure 6 and Figure 6A show the Patient Charge Entry panel for a non-restricted and restricted user, respectively.

• To display this panel: From the Materials Management main Contents select: Imports/Exports & Financials > Patient Charge Entry > New.

Figure 6 - Patient Charge Entry: Hide ePHI Data Is Unchecked on the User Profile - User Can View ePHI

Figure 6A - Patient Charge Entry: Hide ePHI Data Is Checked on the User Profile - User Cannot View ePHI

In Materials Management, from the Requisitioning table of contents, on Requisition Imports, the View Import Details list hides data in patient fields.

The panels are similar to Figure 5 and Figure 5A for users with and without permission to access patient data.

Edits or inquiries for these locations do not display patient data:

- On a purchase order, the Case Info tabbed panel for bill-only purchase orders. (See Example 4.)
- On a requisition, the Case Info tabbed panel for bill-only requisitions.
- On a requisition import line.

Example 4: Bill-only purchase order Case Info panel does not show patient data when a user's Hide ePHI Data field is checked.

Figure 7 and Figure 7A show the bill-only PO Case Info panel for a non-restricted and restricted user, respectively. Users who are not authorized to work with ePHI data cannot display patient information on bill-only purchase orders and also cannot enter patient information when creating a purchase order.

To display this panel:
- From the Materials Management main Contents select: Purchasing > locate PO > or i (for similar inquiry information).
- Click the Case Info tab.

Figure 7 - Bill Only PO Case Info Panel: Hide ePHI Data Is Unchecked on the User Profile - User Can View ePHI

Figure 7A - Bill Only PO Case Info Panel: Hide ePHI Data Is Checked on the User Profile - User Cannot View ePHI

Patient data (ePHI) is hidden for purchase order printing and faxing when the purchase order is bill-only, for both taxable and non-taxable POs.

The Download File menu option in the following locations generates a download that contains patient data.

When the User Profile field Hide ePHI Data is checked, the Download menu option is disabled.
- Imports/Exports & Financial Data > ADT Patient Import: Imports list menu > Download (See Example 5.)
- Imports/Exports & Financial Data > Patient Charge Import: Imports list menu > Download
- Requisitioning > Requisitions > Requisition Import: Requisition Imports list menu > Download.

Example 5: The Download menu option for data that contains patient information is disabled when a user's Hide ePHI Data field is checked.

Figure 8 and Figure 8A show the show ADT Patient Imports list for a non-restricted and restricted user, respectively. For the restricted user (Figure 8A), the Download option on the Menu is grayed out. The user cannot download ADT files because the files contain ePHI data.

To display this panel: From the Materials Management main Contents select: Imports/Exports & Financials > ADT Patient Import.

Figure 8 - ADT Patient Imports for a User Who Is Allowed to View Patient Data: Download is Enabled

Figure 8A - ADT Patient Imports when User's Hide ePHI Data Flag Is On - User Cannot Download ePHI

Notice, in Figure 8A (red box and arrow), that the user with Hide ePHI Data checked cannot download patient ADT files. The user can display import details (Figure 8A, purple box), but patient information in the import details is hidden.

Lot tracking patient data is protected or hidden for Lot Tracking Patient lists and edits.

Example 6: Patient data fields on lot tracking panels are not available to unauthorized users. Changes to patient information fields on lot tracking are audited.

Figure 9 - Lot Tracking Edit Panel for a User Authorized to Work With ePHI

Figure 9A - Audit of Lot Tracking Fields Viewed by a User Authorized to Work With ePHI

In contrast, for a user with the ePHI restriction field checked on her User Profile, the Lot Tracking Patient/Physician/Case edit panel does not display patient data, nor can the user enter patient data (Figure 10). For the unauthorized user, the audit of lot tracking fields looks like Figure 10A.

Figure 10 - Lot Tracking Edit Panel for a User Not Allowed to Work With ePHI

Figure 10A - Audit of Lot Tracking Fields Viewed by a User Not Allowed to Work With ePHI

All report objects referencing patient (ePHI) data hide the data when the user's Hide ePHI Data flag is set to on. (See Example 7.)

Report objects are:

- Patient Charges
- PO Requisition Analysis
- PO Header & Line View 1
- PO Header & Line View 2
- PO Header
- Requisition Details - Warnings and Errors
- Requisition Details
- Requisition Headers

Example 7: Patient data fields are not displayed on reports if a user's Hide ePHI Data field is checked.

Figure 11 is part of a simple report definition that prints patient charges. Figure 12 and Figure 12A show the report output for a non-restricted user and a restricted user, respectively.

To display the Report Definition panel:
- From the Materials Management main Contents select: Reports > My Report Definitions.
- You can then either click New to create a new report or click edit to edit an existing report.

Figure 11 - A Report Definition for Printing Patient Charges

In Figure 12, a user with the Hide ePHI Data flag unchecked on her User Profile has printed the report. Patient data is displayed.

Figure 12 - Patient Charge Report Output: Hide ePHI Data Is Unchecked on the User Profile - User Can View ePHI

In Figure 12A, a user with the Hide ePHI Data flag checked on his User Profile has printed the report. Patient data is hidden.

Figure 12A - Patient Charge Report Output: Hide ePHI Data Is Checked on the User Profile - User Cannot View ePHI

The Spreadsheet and Quick Report links from lists automatically drop patient data fields when the Hide ePHI Data flag is on.

Changes to the fields Patient ID and Patient Account No in system internal tables for requisitions and patient charge lines are audited.

Logs and audit lists in the following locations hide patient data.

When a restricted user displays these log or audit lists, if the audit contains changes, deletions, or additions of ePHI data, the ePHI data is hidden from the user.
- Work in Administration > Administration > Users > Menu > View User Activity Log.
- From Purchase Order lists: Menu > View Audit.
- From Requisition lists: Menu > View Audit.

Access and Change Logs

Passwords and password change history are logged

Password change history is retained in the system for each user. The history is available from the audited fields list for each User ID.

• To display a user's history of password changes,
  - Select Work in Administration > Administration > Users.
  - On the Users List next to the user, click Menu > View Audit Info (Figure 13, red arrow).

Figure 13 - Auditing Changes in User Information

Records of access and changes to ePHI are logged and audited

• When an ePHI record is changed, the applications log "before" and "after" values for the change. Changes are displayed on the User Activity Log.
• The applications track the IDs of users who viewed ePHI data. The User Activity Log provides this information.
• Changes in ePHI data in requisitions and bill-only PO lines are included in the audit data for those features.

User Activity Log

• To display the User Activity Log: On the Users List, next to a user, click Menu > View User Activity Log (Figure 13, purple arrow).
  Here is a sample log (Figure 14):

Figure 14 - User Activity Log: User Is Allowed Access to ePHI Data

From the User Activity Log's audited information, the following changes to ePHI fields have been made by the user. The user edited fields in the Case Info panel for a bill-only purchase order.

Under Field Name, the Case Number, Patient Account Number, Patient ID, and Physician ID have been changed. The Audit Reason column displays "UPDATE."

The changes were made to a bill-only purchase order, on the Case Info ("BillOnlyCaseTracking") panel.
Note: Below the four BillOnlyCaseTracking entries are two entries for the addition (ADD) of PatientChargeLines.

The original value that was changed is in the Old Value column.

The new value is in the New Value column. For example, the Patient ID (third row) 912345981 was changed to 100002211.

This panel (Figure 14) was opened by a user authorized to view ePHI data. If the audit panel were opened by user whose Hide ePHI Data field is checked, patient data fields would not be visible (Figure 15).

Figure 15 - A User Activity Log: User Is Not Allowed Access to ePHI Data

Audits for POs and Requisitions

Changes in ePHI data in requisitions and bill-only PO lines are included in the audit data for those features. Users who are authorized to work with ePHI data can view the audited changes. For users whose Hide ePHI Data field is checked on their User Profiles, the audit record does not display ePHI data.

For example, on a bill-only PO where the Case Info includes ePHI data, clicking View Audit on the purchase order menu (Figure 16) displays any changes to ePHI data (Figure 17A), assuming the user is allowed to display patient information (Hide ePHI Data is unchecked on the User Profile.). A user who is not allowed to access patient information will not see values in the ePHI fields (Figure 17B).

Figure 16 - Opening an Audit for a Bill-Only Purchase Order

Figure 17A - Audit Information for a Bill-Only Purchase Order: User Permission Allows Viewing ePHI

Figure 17B - Audit Information for a Bill-Only Purchase Order: User Is Not Allowed to View ePHI

Protecting Patient Data in Attached Documents

This feature is available for documents attached to purchase orders, requisitions, receipts, invoices, check requests, vendors, and journal vouchers. When a User Profile does not allow the user to work with ePHI information, and when documents attached to invoices, POs, receipts, etc. are flagged for ePHI information, the user cannot view the documents.

The following discussion uses invoice documents as an example, but the feature is the same for the other types of attached documents.

To restrict a user's access to ePHI information:

• On the user profile General tab, select the Hide ePHI Data checkbox (Figure 18).
  

Figure 18 - The User Profile Panel: This User Cannot Access Patient (ePHI) Data

Uploading ePHI-Restricted Documents

For users who can access ePHI information, a checkbox on the Document Upload panel protects the document from display by other users without ePHI authorization.

• To upload a document with ePHI information, select Contains ePHI Data on the upload panel.
  Figure 19 is an example for an invoice document.

Figure 19 - Uploading an Invoice Document Containing ePHI Data

Accessing ePHI Protected Documents

On the Documents panel, a user who is not authorized for ePHI information sees all the documents titles, with Yes in the Contains ePHI Data column for any document that contain ePHI information (Figure 20).

Figure 20 - Unauthorized User Cannot View Invoice Documents that Contain ePHI

If the user tries to open one of these documents, the system returns an error message, and the document remains unavailable (Figure 21).

Figure 21 - Message for Unauthorized ePHI User Trying to Open a Document

The ePHI-authorized user can change the Contains ePHI Data setting for a document on the Documents panel. An example is in Figure 22.

For ePHI-authorized users, the column Contains ePHI Data has selectable fields. To change the ePHI setting for a document, click the box in the same row as the document. The example in Figure 22 displays two documents at the top that do not contain ePHI information, and three flagged documents at the bottom that do. An unauthorized user will not be able to open the three bottom documents.

Figure 22- Contains ePHI Data Flag Can Be Changed by Authorized User

User Activity Log

If the View Audit Info link is available on the documents panel menu, all users can see the audit information.

• On the documents panel, click Menu > View Audit Info next to the document for which you wish to view the activity log.
• The Audit Info panel appears with a complete list of all users, including the name of the person who added the document, and the names of everyone who viewed it.

ePHI Concerns and User Notes

As outlined is previous sections, features are built into the applications to secure electronic protected health information (ePHI). Among the features designed to protect ePHI data is a setting on the user profile that restricts unauthorized users from viewing patient information in panels, spreadsheets, reports, printed documents, and other application elements.

Important: You should be aware, however, that if you enter free-form ePHI data in user notes attached to contracts, purchase orders, requisitions, order guides, item records, invoices, and any other application documents, the ePHI data cannot be protected from display (or editing) by unauthorized users. Your site may wish to establish a policy for notes so that you are not inadvertently making ePHI information visible.

Copyright © 2023 by Premier Inc. All rights reserved.