HIPAA requires exact copies of ePHI to be stored in an offsite data storage facility. This is to ensure that ePHI is always available in situations where a natural disaster, accident, or hacking incident compromises ePHI stored onsite.
User Authentication, Access Management, and Audit Logs
As part of HIPAA software requirements, ePHI access must be limited to the minimum necessary to perform a job function. Under the minimum necessary standard, only employees that require access to ePHI should be granted access. As such, software platforms must enable each of an organization’s employees to be given unique login credentials to access the platform. Through unique login credentials, administrators can implement access controls to designate different access levels for each employee dependent on their job function. These unique login credentials also enable ePHI access to be tracked and recorded through audit logs. By keeping audit logs impermissible access to ePHI can be detected quickly.
To prevent unauthorized access to ePHI, it is important that software platforms enable automatic logoff procedures after a period of inactivity. Administrators should be able to choose appropriate automatic logoff times. For instance, software that is accessed from a front desk computer of a doctor’s office would need to have a shorter automatic logoff time than on a computer in a room protected by locks.