I am asked this question on a daily basis. Do we need each staff member to have a unique user ID? Is a unique user ID required? The answer is YES. Almost every network I look at has user ID’s like User01, Exam01, Scanner, Fax01, etc. I totally understand the inconvenience to having to log in and out every time you go into an exam room, but this is something that simply needs to be done. You must have a unique user ID.

Unique User ID

This is straight from the HHS website.

Does the Security Rule permit a covered entity to assign the same log-on ID or user ID to multiple employees?


No. Under the Security Rule, covered entities, regardless of their size, are required, under § 164.312(a)(2)(i) to “assign a unique name and/or number for identifying and tracking user identity.” A “user” is defined in § 164.304 as a “person or entity with authorized access.” Accordingly, the Security Rule requires covered entities to assign a unique name and/or number to each employee or workforce member who uses a system that maintains electronic protected health information (e-PHI), so that system access and activity can be identified and tracked by user. This pertains to workforce members within small or large healthcare provider offices, health plans, group health plans, and healthcare clearinghouses.

Why You Need a Unique User ID

The answer is simple. For monitoring and tracking. I know that you use a unique user ID when you log into your EMR, but if a hacker gets into your network, user accounts like Exam01, Fax01, etc. will most definitely be a very easy way for a hacker to implement a ransomware attack. Protecting your network is much more than just logging into your EMR. We need to protect the network as a whole.