The primary reason Denticon requires a unique login is so our dental software company follows the federally-mandated HIPAA guidelines for compliance.
Each person who accesses Denticon must have a unique user ID and Password, one per human. Generic names and shared user IDs and passwords are prohibited.
Why?...
- With shared and generic names, there is no Audit Trail to keep track of each user’s keystrokes. This is a critical factor in order to trace problems, issues, and theft.
- HIPAA security audits include checking that all personnel have unique user IDs and Passwords. Without a unique login, the dentist/office owner is subject to fines for security violations.
- The Denticon contract spells out the requirement for unique username logins
According to the HIPAA Security Series, the Security Rule states that technical safeguards in §164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Shared-name logins do not allow for user responsibility and accountability for transactions that are entered. Shared-name logins do not allow office Administrators to exactly determine the source-person for a particular entry.
NOTE: The HIPAA information cited below may be found at >> https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeguards.pdf?language=es
The Security Rule defines access in § 164.304 as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to “access” as used in this subpart, not as used in subpart E of this part [the HIPAA Privacy Rule]).” Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of § 164.308(a)(4), the Information Access Management standard under the Administrative Safeguards section of the Rule.
The Access Control standard requires a covered entity to:
“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)[Information Access Management].” A covered entity can comply with this standard through a combination of access control methods and technical controls. There are a variety of access control methods and technical controls that are available within most information systems. The Security Rule does not identify a specific type of access control method or technology to implement.
Four implementation specifications are associated with the Access Controls standard.
1. Unique User Identification (Required) § 164.312(a)(2)(i)
The Unique User Identification implementation specification states that a covered entity must: “Assign a unique name and/or number for identifying and tracking user identity.”
2. Emergency Access Procedure (Required) § 164.312(a)(2)(ii)
This implementation specification requires a covered entity to: “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”
3. Automatic Logoff (Addressable) § 164.312(a)(2)(iii)
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must: “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”
4. Encryption and Decryption (Addressable) § 164.312(a)(2)(iv)
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must: “Implement a mechanism to encrypt and decrypt electronic protected health information.”