Client Access Rules & Privacy/Security

A county felt that the current CDAG rules were lacking a key factor: Treating Provider Relationship.​

Currently, a user may view client information for a client that is not associated with their program. Is this a problem?​

This led CalMHSA to explore the issue with our privacy experts and legal counsel. We came up with a few focal points:

• EHR users should only access PHI according to role-based access controls and pursuant to the minimum necessary standard.
• HIPAA allows for sharing of information for coordination between treating providers without authorization from the client. 42 CFR Part 2 requires authorization from the client.
• Covered entities should have “reasonable administrative, technical, and physical safeguards” in place to protect against accidental and/or intentional use or disclosure of PHI.

When we first implemented SmartCare, there were limitations regarding Client Access. There was the option to limit access to client records by the user’s program, meaning they would only be able to find clients associated with their programs, but there was concern that not having access to all clients in the system meant that clients would be duplicated in the system. Because of this concern, CalMHSA decided to set their standard user roles to be able to access all clients in the system. This would still limit what treatment records could be seen, as this did not impact CDAG restrictions at all. Counties and CalMHSA agreed that the understand was still that users should only be accessing clients based on minimum necessary rules and other administrative safeguards. The Staff Client Access Tracking Report would be used to track inappropriate access to a client’s records.

However, the county in question also felt that the records that show on a list page, which essentially acts as a query of data from the system, indicated a disclosure, as PHI was being passively shown to users without them actively attempting to access these records.

List pages utilize filters to minimize the data shown in the search results of the list page, and CDAG will limit the records further by only including records associated with the programs the user has been designated as “allowed to see” via the CDAG configuration in the staff setup. Once filters have been set, they remain active until the user changes them. This means that even when a user logs out of the system and logs back in, when they return to the list page, the filters will remain at their last setting. Counties use these filters regularly to limit what’s shown on a list page to focus on a specific program. This has been standard practice and a CalMHSA recommendation since go-live.

When a client has signed a Coordinated Care Consent, CDAG rules no longer apply to their records. On a list page, this means that if a program filter was not in place when navigating to the list page, records from other programs, including those outside of the user’s CDAG, will be shown on the screen. This again constitutes passively receiving PHI that the user may not need to see.

Because CalMHSA’s standard user roles provide users access to view all clients in SmartCare, they can passively be presented with PHI associated with clients they do not have a treating provider relationship with. Using the Client Access Rules to limit which clients a user can see to only those within their programs addresses this issue, but may present an alternative challenge to duplicating clients in SmartCare.

However, since the original go-live in July 2023, additional functionality has been added and explored. There is a method of searching across all clients in the system, regardless of whether the client is associated with your program or not. This is called “All Client Search” and allows a user to search by multiple client indicators at a time (e.g. name, SSN, and DOB). This is addressed at the staff user account level, rather than user role level.  The indicators that must be included can be set at the county level by system administrators, meaning a county could require only SSN and DOB, if desired.

Based on this functionality, CalMHSA felt that implementing the “All Client Search” alongside limiting the “Client Access Rules” to only clients within a user’s program would be a technical safeguard that would meet the needs of the counties. CalMHSA explored adding this to their standard user roles and held a County Shared Decision-Making Meeting to elicit feedback from county partners. Many counties expressed that not having access to search for all clients would greatly and negatively impact their workflows. They expressed that having the safeguards of CDAG and list page filters were enough to minimize passive PHI disclosures.