HIPAA Tip: Regular Review of User Accounts

Most healthcare organizations will disable access to the EMR, Practice Management or billing systems and applications promptly (even immediately) upon a resignation or termination of a staff member. Is the same procedure in place for the Windows Operating System (OS) Active Directory?

Per the HIPAA Security Rule Covered Entities and their Business Associates are responsible for “regularly reviewing” users in all systems and applications containing ePHI – this includes Windows Active Directory (AD).

The following needs to be asked of your IT vendor or department:

  • Request of list of active users in Windows AD at least three times a year – review active users to ensure anyone no longer with the organization is disabled.
  • Are there any users that have administrative rights or privileges in the Windows OS? Who would this be and is it necessary for these users to have escalated permissions?
  • Is there any software solution in place that monitors the user’s activity, especially if this is a third party / vendor?
  • If a user is outside of the business environment (vendor), is there an additional sign-in, i.e., two or multi-factor authentication?

Review users and third parties in all systems and applications containing ePHI regularly, not just annually, along with their privileges and permissions.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.


Dawn Meglino

HIPAA Compliance Specialist, CHPSE, CCSA, CCAP

Leave a Comment