· Who is authorized to log in to MediTrax?
· What is a MediTrax Administrator?
· How can the Administrator maintain the Authorized User roster?
· What data-access permissions are given to Authorized Users?
· How can I configure data-access permissions for each User Group?
· How can I indicate that a User is also a Staff Clinician?
· How can I enable "single-signon" login to MediTrax?

Only Authorized Users are allowed to log in to MediTrax. Your MediTrax Administrator may create an unlimited number of Authorized Users, and each Authorized User has privileges depending on the User Group(s) to which he/she is assigned. Data access and data-entry privileges are controlled for each individual User, and each MediTrax work session requires an authorized login ID and password.

One or more MediTrax Users may be assigned the role of System Administrator or MediTrax Administrator. The MediTrax Administrator determines who will be authorized to use the program. Because this individual has the ability to determine who will be granted access to confidential Employee information (including the PHI contained in the Employee EMR), the MediTrax Administrator should be a Clinician or other individual who would otherwise be allowed to view that confidential information. HR staff, supervisors and IT/IS personnel should not be granted Administrator privileges. Allowing non-clinical personnel to grant PHI access to themselves or to other individuals can be an "open and shut" HIPAA violation.

TO REITERATE: Non-clinicians and others (including supervisors, facility administators, IT/IS staff, relatives, attorneys, employers, co-workers, union representatives, and even law enforcement officers) who do not have the express consent of individuals whose PHI is stored in an electronic database are prohibited by law from accessing that PHI. In the absence of a legal subpoena, disclosing PHI to anyone who does not have that express consent is prohibited under HIPAA.

Health care facility administrators may wish to review this issue with their Director/Supervisor of Medical Records, and to ask whether any individual who does not have the express consent of a patient would be allowed to access and view the medical record of that patient.

Please note that MediTrax support staff may occasionally need to view the contents of MediTrax data tables (e.g., in a webinar) in order to investigate and resolve specific data-table issues. This process is addressed in the Business Associate Agreement (BAA) which we sign for each facility in advance of providing support. The BAA includes specific references to "business need" defined in the HIPAA Privacy and Security regulations found at 45 CFR Parts §160 and §164, as well as the HITECH statute. The previously-mentioned roster of supervisors, facility administators, IT/IS staff, relatives, attorneys, employers, co-workers, union representatives, and law enforcement officers have no "business need" to access data tables containing PHI.

To configure the roster of Authorized Users, select Utilities | Database Administration | Authorized Users & Security | Individual User Access from the main menu screen. Check the box labeled "Show Former Users" to ensure that you do not create a second record for a single User. From the list of Users displayed on the screen, you may add a new User, or you may edit or delete a User's access levels. If you wish to authorize a new User, select Add.

When adding or editing a User record, MediTrax now displays a multi-function screen enabling you to enter or confirm the User's name and ID. In multi-site configurations, you specify the locations (or "virtual locations") at which the User works. You may also document additional contact information including the User's phone number and email address.

NOTE: An IT/IS Network Administrator will need to grant each User network access (with read/write/create/delete/edit/execute privileges) to the shared drive on which your MediTrax application resides. Additionally, MediTrax requires that two data folders must reside on the C: drive of the User's workstation. The folder MT5HELP will contain the Meditrax Pop-up Help file (effective with Windows 7, compiled Help files cannot be run from a network location) as well as a configuration data table which speeds program startup. The folder MT5_TEMP will contain files which MediTrax creates for temporary data storage by the User, and for which long-term access is not required. The User will also need read/write/create/delete/edit/execute privileges) to the C: drive.

When adding a new User, or when restoring the access privileges of an inactive User, MediTrax prompts you to enter a temporary password for the User unless you configure the User's login to utilize the much simpler Single Sign-On feature in MediTrax. This password must be at least 7 characters, including three of the four following data types: Uppercase, lower case, numeric, and "special characters". When the User logs in using that temporary password, MediTrax prompts the User to change the password.

Data access in MediTrax is "role-based." The MediTrax Administrator may define an unlimited number of roles by creating User Groups. NOTE: Evaluation copies of Meditrax bypass the logon procedure, and enable all users to access all data functions.

Select Utilities | Database Administration | Authorized Users & Security | Group Data-Access Permissions. The default list of User Groups includes the following Groups:
- Employee Health
- MediTrax Administration
- Employer/HR Access
- IT/IS Access

The specific data-access permissions in each of these Groups is user-configurable. You may create additional User groups (up to a maximum of 15 groups) to which individual Users may be granted access. User-defined groups which do not have any members may be deleted at any time.

All Users have permission to view (read) clinical schedules and demographic information. To grant additional permissions, select the Group(s) to which the User belongs. You may click on the View button to the right of any Group name to view a list of the permissions granted to that Group.

Select any Group to edit the access (read) and entry (write) permissions for that Group. Individual and Group permissions include 11 categories of permissions. Within each category, the permissions for that category are listed.

In compliance with HIPAA regulations regarding the privacy of Protected Health Information (PHI), HR and IT/IS staff should NOT be granted a level of access which enables them to view the PHI of any worker in your database, or to grant PHI access to other Users. Authorized MediTrax Users with HR or IT/IS access privileges may utilize most program functions which do not involve viewing or editing PHI.

When editing a User's profile, check the box for Clinician, and select the appropriate record in the Staff Clinicians picklist. Note that the individual must have been previously added to your Staff Clinicians data table in order to select the correct record.

If the user's MediTrax Login ID is the same as his/her Active Directory ID (the ID the individual uses to log on to your network -- sometimes referred to as a Network Alias), it will not be necessary to enter an ID and password each time the User logs on to MediTrax. If you do not wish to use this single-signon feature, you will be prompted to create a temporary password.