Security Issues in The THERAPIST

One of the provisions of HIPAA concerns the security of the information you keep on your patients. Even without HIPAA however, it would be important to keep this information private and secure from prying eyes. The THERAPIST gives you the tools you need to do this in the form of login security and security groups.

Each user of The THERAPIST logs into the program with a unique login name. Each user is assigned to one of several security groups. When you have enabled requiring login passwords, the security group determines the user's access and update rights. The program comes with four default security groups but you can add as many others as you wish.

For each security group, you can individually enable or disable access to a variety of functions and features of the program. This is as simple as clicking on a line to check or uncheck access.

A good example of how security can be used effectively is in an office with three people using The THERAPIST. The THERAPIST, as the owner of the program as well as the practice, needs to be able to access every feature of the program including assigning security to other users. This is easily accomplished by assigning The THERAPIST's login user to the System Administrator security group. This is one of the built-in groups and the only one whose access rights cannot be altered. System administrators always have total access.

The next person in the office is a receptionist who enters the services and payments but does not need to see patient's case information, treatment plans, or progress notes. Create a new security group for Data Entry and give them access to patient information including transactions. They should be able to edit as well as view this information. Clear access for clinical information. Assign the Data Entry receptionist's user login to the Data Entry security group.

Finally, there is a person who comes in periodically and generates insurance claims and patient statements. Create a Billing Person security group. This billing person, does not need to change any records so those accesses can be removed. Their access can be quite limited but still have the rights to generate the bills.

Keep in mind that the restrictions only apply if you are requiring login passwords. It would be pointless to try limiting a user who can easily login as another user to do something they shouldn't. With secret passwords, the restrictions are meaningful.

One last point: The THERAPIST comes with a built-in system administrator user with the login name Admin. This user cannot be deleted and its security group cannot be changed. However, you can and should change the login password for this user. Otherwise anyone who looks at the installation guide will be able to log into your system with complete access to everything and the ability to lock out all other users.