EMR Passwords

Nurses General Nursing

Updated:   Published

I found out that my Director of Nursing  has a spreadsheet of usernames and passwords of all the licensed nurses and home health aides at our company, I believe they are using these to complete incomplete charting, specifically from HHA's. I have been at this company for almost a year, but have never been promoted to change my EMR password. I recall at other places I have worked, my password would expire every 3 months or so & I would have to create a new password.

My first question is, Is there any circumstance in which anybody should have someone else's electronic medical record password? I believe nobody should have my username and password, there is no reason to have it.

My second question is, if my company does have a list of nurses' password and is using it to alter/complete other nurses' charting, what would be the proper way for someone to report that?

The company I work for only works with medi-cal patients, we have zero managed care or Medicare patients.

Specializes in OB-Gyn/Primary Care/Ambulatory Leadership.

I STILL don't understand how the DON came into possession of everyone's passwords. The only way they could have that is if people gave them to her. Why would anyone do that? OP has not come back to provide further info or clarification.

3
Up Vote Up Vote ×

@klone If the IT department is so clueless and to not have these passwords stored in an encrypted fashion - I am guessing that the DON simply asked for a spreadsheet with the details. It could also be that the information is stored in a SharePoint or other drive where it is simply accessible. It's amazing what people think is "secure" - and will save to a drive, not realizing how insecure it is...(I also do wish people would not just drop "bombs" and leave the discussion they start!) ?

 

2
Up Vote Up Vote ×
Specializes in OB-Gyn/Primary Care/Ambulatory Leadership.

Passwords shouldn't be stored ANYWHERE, period. The only one who should know a person's password is the user. The only authority/knowledge that IT should have is the ability to reset a password. 

1
Up Vote Up Vote ×
klone said:

Passwords shouldn't be stored ANYWHERE, period. The only one who should know a person's password is the user. The only authority/knowledge that IT should have is the ability to reset a password. 

It MUST be stored or the system wouldn't know if you were entering a correct password - or not. When you login, the program has to compare the encrypted password with what you entered. If they are the same, you are allowed to login. It never compares the actual password. It compares a hash of the password that is mathematically complex.

Storing is necessary - otherwise systems would be completely inaccessible to everyone - including legitimate users.

3
Up Vote Up Vote ×
Idealista said:

Storing is necessary - otherwise systems would be completely inaccessible to everyone - including legitimate users.

Yes; it seems likely that the poster meant stored somewhere in a non-encrypted form such that a manager could simply read it and type in the characters.

2
Up Vote Up Vote ×
Specializes in Mental Health, Gerontology, Palliative.
Idealista said:

It MUST be stored or the system wouldn't know if you were entering a correct password - or not. When you login, the program has to compare the encrypted password with what you entered. If they are the same, you are allowed to login. It never compares the actual password. It compares a hash of the password that is mathematically complex.

Storing is necessary - otherwise systems would be completely inaccessible to everyone - including legitimate users.

Yes, but appropriate encryption is necessary. 

Our IT department can not retrieved a forgotten password, the only option is is to reset to something generic eg 'welcome1' which prompts the system to make the user choose a new password first time its used and before accessing the system

1
Up Vote Up Vote ×
Specializes in Home Health.

It is stored in a non-encrypted form (just in excel spreadsheet). 

Up Vote Up Vote ×
Advocatenursemama said:

It is stored in a non-encrypted form (just in excel spreadsheet). 

Again, how do you know this?  And what makes you believe that the DON is using this information to modify documentation?

Up Vote Up Vote ×
Specializes in Home Health.

I saw it in a meeting. It was brought up that a home health aide had not charted, and she pulled up a spread sheet & had it projected in front of me and three other people in the office. 

1
Up Vote Up Vote ×
Specializes in OB-Gyn/Primary Care/Ambulatory Leadership.
JKL33 said:

Yes; it seems likely that the poster meant stored somewhere in a non-encrypted form such that a manager could simply read it and type in the characters.

Yes, that is what I meant. Stored (and thus retrievable) by a human. 

Up Vote Up Vote ×
Specializes in Mental Health, Gerontology, Palliative.
Advocatenursemama said:

I saw it in a meeting. It was brought up that a home health aide had not charted, and she pulled up a spread sheet & had it projected in front of me and three other people in the office. 

It floors me that nurses think its acceptable to alter another nurses charting. Had to have this convo with a nurse who had altered something in my note. 

She was like 'you put the time in wrong (by 20 minutes)

I'm like "Either ask me to change it or put in an addit 'time in previous note incorrect by 10 minutes, but keep your hands off my documentation"

 

OP this is as dodgy as all hell.  1, the software encryption is so shonky someone can come in your password and alter your documentation and 2. if she wants something done, use email not accessing information she has no right to . IF something was to go wrong, whats to stop her from changing things around to reduce the risk for her. 

2
Up Vote Up Vote ×
Specializes in Case Manager, Solid Organ Transplant Coordinator.

I thought it was illegal to alter medical records? Plus, if there are incomplete records the person responsible for entering the data should be made aware and make the corrections.

 
As for the user names and passwords, IT has access to everyone's user names and passwords so I am not surprised the CNO has a list too. What you should be concerned with is if they have access to personal accounts like your private email address/password or banking information that was accessed from your employer's computer. Now that is very concerning! 

Up Vote Up Vote ×
+ Add a Comment