Why Sharing of EHR Passwords is Common Among Medical People


Ayal Hassidim, MD of Hadassah Hebrew University Medical Center in Jerusalem conducted a research in collaboration with researchers from Harvard Medical School, Duke University and Ben Gurion University of the Negev. The study involved the survey of 299 medical students, interns, medical residents and nurses regarding the practice of sharing EHR passwords. The results, which were published in Healthcare Informatics Research, showed that sharing EHR passwords is very common.

Medical professionals use EHRs to store and access sensitive health information. HIPAA regulates the use of EHR systems by requiring individuals to have a unique user ID and password for accessing information. Every time a person accesses protected health information, logging is required so that healthcare organizations can monitor unauthorized access. Sharing of login credentials will make the recording of persons accessing the system useless and it violates HIPAA rules.

The survey confirmed that sharing EHR passwords is very common even if it is prohibited by hospital policies and HIPAA rules. 73% of the respondents said they used another person’s password to access EHR records at least once. 57% said they did it several times – 4.75 times on average. The surveyed medical students also said that they accessed EHRs using another person’s login details. 57% of nurses admitted to doing the same.

As for the reason why people shared EHR passwords, these were some of the reasons:

  •  Permissions on the user’s account did not allow the completion of work duties.
  •  Technical problems made it impossible for users to create won credentials.
  •  Personal login details were not issued even when a person needs EHR access to complete work duties.
  •  Quick login is required to provide timely and efficient patient care.

After analyzing the data, the researchers suggested the following recommendations regarding the use of EHRs. First, usability should be considered when planning EMRs and PHI-containing medical records.  Second, there should be another option for each EMR role that maximizes privileges for one action. This would make it possible for a junior staff to make urgent, lifesaving decisions without outwitting the EMR.