[Transcript] Episode 521: Practical Steps for Avoiding Shared Admin Accounts and Managing Role-Based Access

 

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 521: Practical Steps For Avoiding Shared Admin Accounts and Managing Role Based Access.

 

Liath Dalton 

Indeed. So last week, we talked all about the risks and pitfalls of having shared admin accounts and not managing role based access, both in terms of some of the logistical implications, but more specifically, looking at the HIPAA standards that that violates.

 

Liath Dalton 

So today, we’re going to be talking about all of those practical steps that you can take to manage this correctly, and easily too. Efficiently.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

So first off, Evan, what’s something that we do in terms of applying the risk analysis process and HIPAA standards here at the outset?

 

Evan Dumas 

Yeah, yeah, you first got to find out who’s got access to what, what’s being shared, and ideally, what their roles are. So, do a quick inventory of, sort of, what you got going on across all your systems, and just get a sense.

 

Evan Dumas 

You know, this will be easy if you have a smaller practice, but you know, if you have any question marks or any fuzzy areas, it’s so good to know how it all works before you go about making any changes.

 

Liath Dalton 

Exactly. So that kind of system access inventory looks like identifying what your systems are. So, all the systems that store, transmit, or access client data. So, something like, what’s the system, name and type, eg, EHR, email, billing, file storage, etc. Is that a HIPAA compatible system? Do you have a BAA in place? And then define your team roles and responsibilities. What are the primary roles in your practice, and what information or tools do those roles need access to?

 

Liath Dalton 

So something like, here’s the clinician role, they need access to X, Y and Z. They should not access X, Y and Z, and so on for each distinct role type within your practice.

 

Liath Dalton 

And then moving on to assigning individual logins and tracking that for every system that each person has a unique login for, and noting in that not just that a unique login was created and assigned, but that the appropriate role based level of access within that system was assigned as well.

 

Liath Dalton 

And then another piece that is really significant is managing shared emails.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

This comes up, I think, in every single practice, right? And is going to be typically around a shared inbox for things like admin@ or billing@, intake@. And, as we said in last week’s episode, this is a legitimate need, to have one uniform inbox where clients are sending queries or information to, and you don’t want to have to be changing that every time the person filling that role changes.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Or in larger practices where you have multiple admins, in particular, that, of course, is going to get really cumbersome, and you’re going to need to have a means for multiple people to be handling that same inbox and to tracking who does what within that inbox, that’s really important for your team management and quality assurance and accountability.

 

Liath Dalton 

So the fantastic mechanism for that particular use case is delegation, and we’re going to get into that a little bit more next.

 

Liath Dalton 

So after you manage the various system access, the next piece is going to be managing the shared email needs. Typically, the best mechanism for that are is going to be through a delegated inbox, over an alias.

 

Liath Dalton 

And then the next step in this sort of access control audit and practical implementation piece is going to be looking at what your onboarding and off boarding process entails.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So making sure that you’ve created and reviewed procedures to grant and revoke access.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Both securely and consistently. The consistently piece is really crucial.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And that includes making sure that new hires receive only the necessary system access based on their role, that that access is documented and approved, and that once they are needing to be offboarded, that the offboarding process includes the immediate revocation of access from all systems.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And that if you have a shared or delegated inbox, that those permissions are updated immediately. And then, of course, that you are reviewing the audit logs for every system that has multiple team member access with the frequency or a periodicity that your risk analysis results have defined as required for that particular system.

 

Liath Dalton 

So let’s get into how email delegation works.

 

Evan Dumas 

Yeah. So, email delegation is pretty rad. All systems handle it a little bit differently, so you’ll want to check on how you do, but usually it’s like one inbox is sort of where all the emails you know come into and then you, as the owner of that inbox, can delegate to other accounts that you have varying rights of access. Like saying, like, oh, can they open emails? Can they reply to emails? Can they have access to it? But they’re only logging in under their account, so they have, like, limited control, but all their use is, you know, logged and checked. So in that way, it’s two different users, but they both have access to one account, which is really wonderful.

 

Liath Dalton 

Exactly. So for example, if you have an [email protected] as a user account within your system. And here we’re probably primarily talking about Google Workspace or Microsoft 365 right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So you have that as an actual user account within your platform, but then you have individual users. Example: [email protected] and [email protected]. We each have our own distinct user accounts, but you delegate the admin@practice account inbox to those individual users. To Evan and myself in this example.

 

Evan Dumas 

Mhm, mhm.

 

Liath Dalton 

So we each can, we each are logging in with our own account. The liath@ or evan@, but can view and respond from a delegated account.

 

Liath Dalton 

And this is important. When you’re responding from a delegated account, the response would not come from liath@ or evan@, it comes from admin@, right?

 

Evan Dumas 

Yeah.

 

Evan Dumas 

Uh-huh.

 

Liath Dalton 

But then you can revoke access to admin at as needed,

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

without changing the password for admin@.

 

Evan Dumas 

Exactly.

 

Liath Dalton 

So this is a ideal solution for the sort of most common use case scenario that precipitates the sharing of accounts that we see in practice.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Aliases can also be set up for shared inboxes, but that works a little bit differently and is usually going to be less beneficial than a delegated account. Evan, can you explain to us how aliases work?

 

Evan Dumas 

Yeah. Aliases are another sort of weird way fo,r if you want to have, like, multiple accesses to a system, you can create an account in like admin, plus something else, plus some other account name, like plus news or plus Evan or whatnot, and that can kind of forward to someone else’s inbox. Which is okay, if you want to, like, you know, disseminate and share information to multiple people, but it doesn’t allow the person to then, you know, reply as admin.

 

Evan Dumas 

So, like it’s, you don’t want them interacting with the customers or whatnot, because it doesn’t let you do that. It lets you share it. Which is great. And you know, also this little trick of aliases is good if you have multiple services you want to log in as and sort of record, oh, which, which service did I do that? Oh, admin, plus something or other, something like that.

 

Liath Dalton 

Mhm.

 

Evan Dumas  

So it’s you may see it mentioned when it comes to the sort of email sharing feature. We definitely recommend delegation over it,

 

Liath Dalton 

Yes.

 

Evan Dumas 

but there are specific use cases for aliases that are, that work.

 

Liath Dalton 

Mhm, exactly. But in terms of the email delegation, because that’s really what solves for the majority of needs that we’re trying to provide for meeting here, the benefit is, of course, that it maintains professionalism with a shared address, while keeping the access controlled. So the people who are interacting with that email account are going to have continuity of I’m interacting with admin@ or billing@, not sending a message to that address and getting a response from someone else.

 

Liath Dalton 

It also is providing accountability, because responses can be tracked by individuals, not just admin@. So in your system, from from your own like super admin dashboard, you’ll be able to see who did what, when. Which is necessary from a HIPAA compliance standpoint, but is also really important in managing quality assurance and being able to manage your workforce appropriately and make sure folks are doing what they need to do, when they need to do, do it, and that if they aren’t, that you’re able to identify who, who that is, or where things are falling short, so that you can take corrective or remedial action appropriately, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And then this, this setup of email delegation is super scalable and easy to manage. And you can just update update access permissions as and when needed.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So if you aren’t using delegated accounts for your fixed addresses, get that set up and in place, and it will make your life so much easier,

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

as well as really address some existent gaps in HIPAA Security Rule standard compliance, if that’s not currently in place.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So this is one of those great circumstances where it’s really pretty minimal changes, not too cumbersome to put into place. Like not very time consuming, but has massive payout

 

Evan Dumas 

Mhm.

 

Liath Dalton 

 in terms of the benefits that it provides for.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So get that in place.

 

Liath Dalton 

And then, of course, we know the next question is going to be, “But wait a minute, what if, what if we are using systems that don’t provide for having multiple user login?”

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And Evan, this is something that comes up in risk analyses and risk mitigation planning,

 

Evan Dumas 

Yup.

 

Liath Dalton 

when you’re going through this with folks. So tell us all about it.

 

Evan Dumas 

Yeah. Often I’ll get group owners or compliance officers speaking to me about how, hey, we’re growing, and, you know, we’ve been using this one system for a long time that doesn’t allow role based access, or maybe they didn’t know that was something need to be cared about.

 

Evan Dumas 

And so through the risk assessment, I say, Oh, are you, are you sharing passwords? Areyou sharing access? And they’re like, Yeah, wait. Is that a problem? And then we discover it. So here’s some things you can do.

 

Evan Dumas 

So the hardest one: maybe reassess use of that system. This might be time to upgrade to something that’s, you know, compliance compatible, aka, lets you have multiple users. This may be an added cost, but if you’ve been sort of hobbling along and saying, oh, you know, it’s too expensive, or, you know, we’ve been making do, I say it’s high time to treat yourself to something that works. To not just making do, to not having these, like cledgy solutions, to actually get something that lets you, you know, operate with a compliance mindset, but lets you have delegation, lets you share, lets you have multiple users.

 

Evan Dumas 

So that’s, you know, probably the most expensive and hard solution. Other solutions. Oh, sorry, you wanted to speak in Liath?

 

Liath Dalton 

No, no, go ahead.

 

Evan Dumas 

Okay. Other solutions are reaching out to the system creators see if the feature can be added. There are some systems out there that I hear have really great turnaround time and do respond to people’s feedback for changes in settings, things like that. So you know, if it’s not a feature, reach out to them saying, “Hey, we use it in this way, we know this isn’t compliant, we want to be compliant. Can you help us make it be compliant? Or else we’re going to switch to another system.” That may light a little fire under them to make the changes.

 

Evan Dumas 

Now, if all of this is being said and you can’t and you’re like, no, they’re the only people in town that do this, this is the only way, and we have multiple clinicians that need access. A couple things you can do, if you absolutely need to share credentials.

 

Evan Dumas 

One: plan for the worst case scenario of being locked out. Say someone leaves, is upset and changes the password. Or worse, even more, worse case scenario, they take access to all of the clients and then maybe sell it to someone else, or maybe destroy access.

 

Liath Dalton 

Unfortunately, I’ve seen where this happened with a disgruntled admin.

 

Evan Dumas 

Oh, yeah.

 

Liath Dalton 

Like, VA, who then took the entire client list and started shopping it to other

 

Evan Dumas 

Yeah!

 

Liath Dalton 

practices,

 

Evan Dumas 

Which isn’t how it works, even.

 

Liath Dalton 

in the area, right?

 

Evan Dumas 

Like, that’s not how the industry even works.

 

Liath Dalton 

Massive HIPAA breach.

 

Evan Dumas 

Yeah. And so, you know, we at PCT are exposed more to worst case scenarios, because, you know, we’re the helpers for those scenarios, but this can happen. So plan for the worst case.

 

Evan Dumas 

Also, document all of these risks that you are accepting. So a risk analysis, as a part of the mitigation plan is either mitigating the risk, taking care of it, or accepting the risk and documenting why. What are you doing to prevent this? What safeguards do you have in place that would remedy this?

 

Liath Dalton 

Right.

 

Evan Dumas 

And maybe this is something all you’re doing while you’re reassessing, while you’re trying to get something changed, but please. Document these risks and why you’re accepting them, and what you’re doing about it to make it not as bad.

 

Liath Dalton 

Right. The documentation needs to be including like, why it’s quote, unquote reasonable and appropriate to accept this risk. And as Evan said, that’s going to include the measures that you’re putting in place to as sort of your contingency plans and mitigation plans for how you’re going to prevent the worst case scenario from being realized, or less in the likelihood that the worst case scenario risk is realized, and in the event that it is what your response plan is going to be.

 

Liath Dalton 

And so, it’s important to note that when accepting risks, you can’t, just like, have a non compliance compatible practice where you’re violating all of the standards and say, Well, I’m going to accept them.

 

Evan Dumas 

Haha, no.

 

Liath Dalton 

I’m just going to accept these risks, and it’s okay, because, like, we’re a lot smaller than that big hospital that just had a big data breach. And so the the HIPAA regulators are going to be more focused on the big fish, and instead of us right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

That’s not responsible, or even what the sort of provision that allows for acceptance of certain risks, what that provision is intended to provide for. That provision is when there are, are not the technical capabilities for things to be done any other way, and there is no viable alternative solution, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

 That, that this is a legitimate and specific need within the the practice, operationally or for client care delivery purposes, and it can’t be met any other way.

 

Evan Dumas 

Yeah, you can’t just say, I don’t wanna. That doesn’t work.

 

Liath Dalton 

Right, right. So this is very, very specific, but there is a provision for it. And you know we are talking about primarily where HIPAA applies right, which means to systems that contain client information. And so any system that is being provided by a third party service provider that will execute a Business Associate Agreement should have the ability to have unique logins, individual logins for a multitude of users, because that’s sort of part of what a business associate needs to be providing for, is the ability of a covered entity to use their their platform in the intended way, in compliance with HIPAA standards.

 

Liath Dalton 

So it’s more common to find a system that is not designed for HIPAA compliance compatibility, that doesn’t allow for individual logins, and if it’s something that is not containing any client info, then that’s outside the scope of HIPAA. So it’s an area where you’re not violating HIPAA if you do share login credentials.

 

Liath Dalton 

The big caution that Evan and I have there, though, is that it’s setting a bad precedent. So we do want to avoid that, if at all possible, for these systems that don’t contain client info, maybe it’s a platform more related to marketing activity. And we still would say, even though it’s way less significant and consequential than credential sharing for any systems that contain client info, it still can set a bad precedent.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And something, be something that contributes to an overall weakening of security culture, or sort of waters down the adherence to or understanding of the importance of the security policies and procedures that have that are in place in the practice. So just keep that in in mind, but you definitely want to be distinguishing when you’re evaluating risks between PHI containing systems and non-PHI containing systems.

 

Evan Dumas 

Mhm, yeah, yeah.

 

Liath Dalton 

Any other important points on this that we should note, Evan?

 

Evan Dumas 

No, I think this quick wins covered quite a lot of territory.

 

Liath Dalton 

I think it did indeed. So thank you everyone for joining us. We hope you found this helpful, and we’ll look forward to chatting to you next week.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.