Consent Management/Access Control & Privacy Auditing

Consent Management/Access Control & Privacy Auditing

To best ensure patient privacy and clinical access to healthcare information, you need both:

  • Consent Management – incorporates access control mechanisms which allow the system to proactively block inappropriate access to a patient’s PHI according to privacy policies established by the patient, healthcare organization and jurisdiction
  • Privacy Auditing – continuously tracks all access and attempted access to PHI, while a notification service – informed by consent management – immediately alerts compliance officers of inappropriate access
Consent management enables individuals to establish privacy preferences to decide who may use or disclose their PHI, what PHI may be accessed, for what purposes, and under what circumstances.

It also supports the creation, management and enforcement of individual, organizational and jurisdictional privacy policies through access control mechanisms.

Role-based access control is inadequate for managing privacy policies. Consent management allows you to block access to PHI in accordance with privacy preferences. This enforces appropriateness of access, even when a user’s role would typically permit access.

With HIPAAT’s standards-based consent management software

Individuals are able to:

  • confirm or refuse participation in electronic health information sharing
  • Create, edit, store and withdraw health information privacy policies – for example, “do not disclose my medication history,” “do not disclose my PHI for research purposes” or “do not disclose my PHI to Dr. John Smith”
  • Allow or deny override (break-the-glass) access to PHI, as permitted by law

Healthcare providers, hospitals, health systems and HIEs are able to:

  • restrict access to a patient’s PHI – to a granular level – at the patient’s request, with no perceptible impact to clinical workflow
  • create and record organizational privacy policies – for example, “restrict internal use of employees’ health information”
  • create and record jurisdictional policies – for example, “restrict disclosure of mental health records”
  • have access to restricted PHI – legislation permitting – when needed. This is called “break-the-glass” or “override” access, and it generates a security alert to the privacy officer.

Find out more

Auditing is the key to health information privacy management, allowing provider organizations, hospitals, health systems and HIEs to actively address patient privacy and measure compliance with established privacy policies.

Our standards-based auditing software generates a real-time audit trail of all access – and attempted access – to PHI and privacy policies. And when a clinician overrides a privacy restriction (break-the-glass access to PHI), the privacy officer is automatically notified by email. This allows the privacy officer to follow up on the potential breach, and make the patient aware of the situation and the reason for it.

Examples of inappropriate attempted access to PHI would include: when a clinician tries to access PHI and is permitted by virtue of their role, but the patient has disallowed it. Or, when a clinician attempts to access PHI and is permitted by virtue of their role, but the patient is not under their care.

Our auditing solution enables authorized administrators to generate simple, detailed and customized audit reports.


Find out more