Consent Management/Access Control & Privacy Auditing
To best ensure patient privacy and clinical access to healthcare information, you need both:
- Consent Management – incorporates access control mechanisms which allow the system to proactively block inappropriate access to a patient’s PHI according to privacy policies established by the patient, healthcare organization and jurisdiction
- Privacy Auditing – continuously tracks all access and attempted access to PHI, while a notification service – informed by consent management – immediately alerts compliance officers of inappropriate access
It also supports the creation, management and enforcement of individual, organizational and jurisdictional privacy policies through access control mechanisms.
Role-based access control is inadequate for managing privacy policies. Consent management allows you to block access to PHI in accordance with privacy preferences. This enforces appropriateness of access, even when a user’s role would typically permit access.
With HIPAAT’s standards-based consent management software…
Individuals are able to:
- confirm or refuse participation in electronic health information sharing
- Create, edit, store and withdraw health information privacy policies – for example, “do not disclose my medication history,” “do not disclose my PHI for research purposes” or “do not disclose my PHI to Dr. John Smith”
- Allow or deny override (break-the-glass) access to PHI, as permitted by law
Healthcare providers, hospitals, health systems and HIEs are able to:
- restrict access to a patient’s PHI – to a granular level – at the patient’s request, with no perceptible impact to clinical workflow
- create and record organizational privacy policies – for example, “restrict internal use of employees’ health information”
- create and record jurisdictional policies – for example, “restrict disclosure of mental health records”
- have access to restricted PHI – legislation permitting – when needed. This is called “break-the-glass” or “override” access, and it generates a security alert to the privacy officer.
Our standards-based auditing software generates a real-time audit trail of all access – and attempted access – to PHI and privacy policies. And when a clinician overrides a privacy restriction (break-the-glass access to PHI), the privacy officer is automatically notified by email. This allows the privacy officer to follow up on the potential breach, and make the patient aware of the situation and the reason for it.
Examples of inappropriate attempted access to PHI would include: when a clinician tries to access PHI and is permitted by virtue of their role, but the patient has disallowed it. Or, when a clinician attempts to access PHI and is permitted by virtue of their role, but the patient is not under their care.
Our auditing solution enables authorized administrators to generate simple, detailed and customized audit reports.