The Risk No One Talks [Enough] About: Shared Admin Accounts… And What To Do About It

In many mental health group practices, the use of shared admin logins might seem like a practical shortcut. Everyone on the admin team can check the same email or access the billing system without juggling multiple accounts. But behind this convenience lies a compliance and security risk that many practice owners don’t realize they’re taking.

This article explores how shared admin accounts violate HIPAA’s Access Control, Minimum Necessary, and Audit Controls standards and outlines the simple changes practices can make to strengthen security, improve accountability, and stay in alignment with compliance requirements.

Why Shared Accounts Are a Risk

From a HIPAA Security Rule standpoint, using shared login credentials is a clear violation. [It’s important to note that a violation does not necessarily equal a HIPAA breach.] HIPAA requires unique user identification for anyone accessing protected health information (PHI). Shared accounts make it impossible to track who accessed what information and when — a direct conflict with the Audit Controls standard. They also prevent proper implementation of role-based access, a key requirement of the Access Control standard.

Shared accounts:

  • Prevent individual accountability and activity tracking
  • Allow for over-permissive access to sensitive data
  • Create complications during staff transitions (onboarding/offboarding)
  • Undermine workforce security awareness and policy adherence

The HIPAA Standards at Play

Three HIPAA Security Rule standards are particularly relevant here:

  1. Access Controls Standard (45 CFR §164.312(a)(1))
    This requires implementing technical policies and procedures that allow access only to those persons or software programs that have been granted access rights. This includes using unique user IDs and limiting access based on job responsibilities (aka role-based access).
  2. Audit Controls Standard (45 CFR §164.312(b))
    This requires mechanisms to record and examine activity in systems that contain or use ePHI. If multiple people use the same login, there’s no way to know who performed what action.
  3. Minimum Necessary Standard (45 CFR §164.502(b))
    This standard applies to all uses, disclosures, and requests for PHI. It requires that only the minimum necessary information be accessed, used, or shared to accomplish a specific purpose — which reinforces the need for role-based access and individual logins.

**Note: this applies at all times, both internally and externally – so the Minimum Necessary Standard applies to your practice workforce. 

Step-by-Step: How to Implement Role-Based Access and Avoid Shared Accounts

Here are practical, efficient ways to shift your practice away from shared logins and toward a compliant, secure access control approach:

  1. Conduct a System Access Inventory
  • List all systems that store or transmit client data (EHR, email, telehealth, billing, file storage, etc.)
  • Note system type, BAA status, and who currently accesses them
  1. Define Roles and Access Needs
  • Identify distinct roles in your practice (clinician, biller, intake coordinator, practice manager, etc.)
  • For each role, specify what access they need — and what they don’t need
  1. Assign Unique Logins
  • Ensure each person has their own login credentials for every system
  • Assign role-appropriate access level within each system (not everyone needs admin rights!)
  1. Manage Shared Inbox Needs Securely Shared email inboxes like admin@practice or billing@practice are a legitimate need, but they don’t require shared credentials. Instead:
  • Use delegated inboxes: Admin@practice is a user account, and individual team members (e.g., jane@practice) are granted access to view/send from that inbox. Delegation allows them to reply as “admin@” while logged into their own account, maintaining accountability.
    How email delegation works:
  • The shared address (like [email protected]) is set up as its own user account.
  • Individual team members (e.g., [email protected], [email protected]) are granted delegated access.
  • They continue using their own login credentials but can read, respond to, and manage messages from the delegated inbox.
  • Replies come from admin@, preserving a professional and consistent appearance for client communication.
  • Benefits of delegation:
    • Maintains HIPAA compliance by keeping access tied to individual users
    • Supports audit trails so actions can be tracked per user
    • Simplifies access management — no need to reset shared passwords when staff leave
    • Scales easily as your team grows
    • Improves team accountability and quality assurance
  • Or use email aliases: Messages sent to admin@ forward to designated users. This is more limited and doesn’t support replying from the shared address. Aliases are better suited for distributing messages, not for team collaboration or accountability.
    1. Set Up Onboarding and Offboarding Procedures
    • Document and implement procedures for granting, adjusting, and revoking access
    • Ensure access changes happen immediately when roles change or staff depart
    1. Review Audit Logs Periodically
    • Confirm your systems log access and activity by user
    • Review logs at intervals defined by your risk analysis and policy (monthly, quarterly, etc.)

    What If Your System Doesn’t Allow Unique Logins?

    Unfortunately, some systems still don’t support multiple user accounts. In these cases:

    • Reassess the system: If it holds client data and doesn’t support individual logins, it likely isn’t HIPAA-compliant. It might be time to upgrade.
    • Request changes from the vendor: Reach out and advocate for compliance features.
    • If you must share credentials temporarily:
    • Document it as an accepted risk in your risk analysis
    • Explain why it’s currently unavoidable
    • Outline what safeguards and contingency plans you’ve put in place
    • Plan to phase out the practice as soon as a compliant solution is available

    The Bigger Picture: Compliance Culture

    Even if you’re only sharing credentials for non-PHI systems (e.g., marketing platforms), we recommend avoiding it. Shared access, even in low-risk systems, can weaken the overall security culture and lead to complacency or confusion about when individual access matters.

    Creating a culture of compliance means:

    • Modeling good security behavior at every level
    • Training your team on proper access hygiene
    • Using systems that support security and accountability by design

    Small Changes, Major Impact

    Moving from shared admin accounts to a role-based access approach might sound like a big shift, but it’s usually a matter of making a few configuration changes and updating procedures. The payoff? Stronger data security, better staff management, and peace of mind knowing you’re aligned with HIPAA standards.

    The entire process of managing role-based access in a way that supports both HIPAA compliance *and* operational efficiency is baked into the comprehensive HIPAA compliance process that we provide through the Group Practice PCT Way Compliance Bundle – from the risk analysis, asset and access inventory, Policies & Procedures, and Workforce Manual to the detailed Workforce Management Log for documenting all the necessary pieces – we’re here to help practices turn compliance from a burden into a strategic advantage.

    See our comprehensive HIPAA programs for group practices and solo practitioners:

    Group Practices
    Solo Practitioner
    v2.10.0

    Continuing Education National Approvals

    Person Centered Tech Incorporated has been approved by NBCC as an Approved Continuing Education Provider, ACEP No. 6582. Programs that do not qualify for NBCC credit are clearly identified. Person Centered Tech Incorporated is solely responsible for all aspects of the programs.

    Person Centered Tech Incorporated is approved by the American Psychological Association to sponsor continuing education for psychologists. Person Centered Tech Incorporated maintains responsibility for this program and its content.

    Continuing Education State Approvals

    • Person Centered Tech is an approved provider continuing education provider with the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health Counseling. CE Broker Provider #50-23706.
    • Ohio Counselor, Social Worker, and Marriage and Family Therapist Board accepts continuing education credits from providers approved by the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health.
    • Person-Centered Tech Incorporated is recognized by the New York State Education Department's State Board for Social Work as an approved provider of continuing education for licensed social workers #SW-0540 and the State Board for Mental Health Practitioners as an approved provider of continuing education for licensed marriage and family therapists #MFT-0092, licensed mental health counselors #MHC-0210 and licensed psychoanalysts #P-0050 and the State Board for Psychology as an approved provider of continuing education for licensed psychologists #PSY-0068.

    Policies and Terms

    Training Resources

    About Us

    Email: [email protected]

    Customer Service Hours: M-F 9AM-3PM PST

    Address:
    Person Centered Tech Incorporated
    PO Box 42494
    Portland, OR 97242

    Where's our phone number?

    Scheduled Maintenance

    We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss