Role-based Access Control

Protecting privacy is foundational to electronic health records and healthcare information exchange. In 2007, the Healthcare Information Technology Standards Panel specified the technical standards needed to ensure the security of patient records and these will be incorporated into vendor products over the next 2-3 years.

At BIDMC, our privacy controls are based on the concept of "minimum need to know" and are implemented via single sign-on authentication, auditing, role-based access control and a "lock box" for mental health notes.

Authentication
Each person working at or affiliated with BIDMC has a unique username and password which they use to access applications, sign notes, and write orders. In the 1990's each person had numerous usernames and passwords of differing complexity and password expiration timeframes. In 2000, we built an enterprise wide LDAP directory to manage all our user accounts. In 2003, we interfaced it to Micrsoft's Active Directory and we created processes to tightly manage these accounts including standardizing our policies for password complexity and expiration. In 2005, we built a portal and web-services to enable single sign-on authentication to virtually all our applications. This means that our users only have to remember one password, albeit a very complex password (non-english word, mixed case, alphanumeric) that expires every 200 days. Passwords are activated centrally to ensure we have appropriate approvals and management oversight of each user. Whenever a clinician or staff member leaves the organization, their password is immediately deactivated for all applications.

Auditing
We store an audit of every patient lookup made by a clinician or staff member. All stakeholders at BIDMC know that violating confidentiality results in termination. We run automated tools to examine the audit trails and highlight suspicious behavior.

Authorization
The centerpiece of our privacy controls are over 500 access control rules which limit access to information based on job role and application function. For each application, we work with our stakeholders and Governance Committees to define the required levels of access based on the functions within the application. End users are then assigned an “authorization string” that offers access to the minimum information relevant to their role for each application.

For example, in an Appointment Scheduling application, front desk staff can make appointments, update registrations and perform charge entry. A practice manager can do all of that plus maintain schedules and run management reports. As we add functions to our applications, we determine which authorization is required to access each function.

Role-based access also has workflow implications. In our Provider Order Entry application, a staff doctor or resident can write an order but if a medical student writes an order, it is not visible to the nurse until it has been co-signed. A nurse can write only verbal orders, and a unit coordinator cannot write orders but can discharge patients. In our electronic health record, a resident can write a progress note but only a staff doctor can co-sign that note.

Monitored notes
We recognize that some portions of the medical record such as mental health notes are more sensitive than others. In the early 1990's we created a lock box for such information called "monitored notes". The author of protected informations places the data in the electronic lock box. Other clinicians can only access this data by providing written justification of the need to open the lock box. Each lock box access is emailed to the author of the content and is reviewed by our security team.

Health Information Exchange between organizations relies on all these protections plus opt-in patient consent for sharing data with external providers. HITSP standards include the use of the OASIS standard called XACML for role-based access control and HL7 Consent standards to document patient data exchange preferences. The current Nationwide Health Information Network pilots and our project to exchange disability application data with the Social Security Administration includes these protections.

Our over 500 rules controlling every data element in every application have been an effective means to protect confidentiality. With constant vigilance, a team of 4 full time security professionals monitoring our systems, and yearly third party audits, we're doing our best to maintain the trust of our patients.