Does the Security Rule permit a covered entity to assign the same log-on ID or user ID to multiple employees?


No. Under the Security Rule, covered entities, regardless of their size, are required, under § 164.312(a)(2)(i) to “assign a unique name and/or number for identifying and tracking user identity.” A “user” is defined in § 164.304 as a “person or entity with authorized access.” Accordingly, the Security Rule requires covered entities to assign a unique name and/or number to each employee or workforce member who uses a system that maintains electronic protected health information (e-PHI), so that system access and activity can be identified and tracked by user. This pertains to workforce members within small or large healthcare provider offices, health plans, group health plans, and healthcare clearinghouses.

Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013