User Authentication

From OpenEMR Project Wiki

The user needs to be authenticated.

1. Unique User Identification

VISOLVE>> As per HIPAA Security rule, 'Unique User Identification' usually refers to the "Logon Name" or "User ID". This can be a unique name and/or number for identifying and tracking user identity. Any feature which takes care of strengthening the "Login" would come under this section.

The following are some of the system maintenance tasks HIPAA is recommending for Unique User Identification.

a. User identifications that are not associated with active workforce members (such as those of former employees) can easily be compromised and it should be removed once the employee is relieved. b.User identifications provided to consultants and vendors should also be removed or disabled as soon as no longer needed.

c.System Administrators can temporarily disable accounts for workforce members leaving for extended periods with no need to access the system, such as medical/family leave or vacations. An automated system monitors to disable user identifications that remain inactive for certain periods of time (30 days, for example) can be done.

d. Appropriate changes to the User login when the current workforce members change roles within jobs, or when a workforce member changes a name.

e. The covered entity should change passwords according to the timetable established (which can be identified based on the covered entities risk analysis) in its policies and procedures

f. The covered entity should consider passwords containing at least seven alphanumeric characters to make them difficult to guess or decode.

Fred Trotter: Just curious but you already have database ids for users, and I assume that you gather things like social security or drivers license numbers on users.... what further is required in your mind?

Sam Bowen: Perhaps I don't understand the requirements, but it seems to me requiring two login passwords, one known only to the user would verify the identity of the user at the time of login.

I think Fred is referring to having unique identifiers in the database to verify to outside reviewers that the users have actually been verified as who they say they are by the OpenEMR system administrator. This doesn't matter much to small offices like mine but unfortunately the CCHIT and HHS (United States Health and Human Services) want us to fix this for every conceivable use in the United States. As users are hired we require them to provide us with a photo identification and professional users such as physicians, physician assistants, and Nurse Practitioners have to also provide their diplomas, certificates and valid license to practice in our local state / province. In this way we verify that the "authorized user" actually has the credentials to use the system.

Fred is coming from the direction of how do we assure to an outside observer that we have satisfied these requirements before allowing a user to start using a system that allows them to prescribe medications electronically to others that have never seen or heard of this practitioner. Recording these documents in the users files would not be that difficult?

VISOLVE: The idea you have proposed for "authorized user" (storing the workforce documents) can also be considered to strengthen the policy.