User Guide — User Administration
athenaOne for Hospitals & Health Systems
A user account is required to log in to and use athenaOne. The Users page allows you to create, update, and delete athenaOne user accounts for staff members in your practice. When you create an account, athenaOne assigns it a username that is unique throughout our entire athenaOne network.
Usernames are generated using the first name initial and the last name of the user. If this designation is not unique, athenaOne automatically appends a digit to the end to render the username unique throughout our entire network.
Every user in your practice should use a unique, personal user account to log in to athenaOne. All athenaOne users should keep their passwords secret. athenaOne users can create security questions and reset their own passwords using the Reset Your Password page.
The username is a critical component for athenaOne data security, patient privacy compliance, financial auditing, and user accountability. Every action a user takes in athenaOne, from patient registration to payment collection, is logged with the staff member's username. HIPAA data security requires an accurate audit history; therefore, HIPAA compliance requires that every athenaOne user must log in to the system using their own username and password.
Important
A generic username is not specific to a user's own name but rather one that could be used by many different users. We are unable to audit which user accessed patient information or took action using the generic account, thus generic usernames should never be used. They also violate athenaOne regulations.
Covered entities, including athenahealth and its clients, should never assign the same login ID or user ID to multiple employees. Under the HIPAA Security Rule, covered entities, regardless of their size, are required to assign a unique name and/or number for identifying and tracking user identity.
A "user" is defined as a "person or entity with authorized access." Accordingly, the Security Rule requires covered entities to assign a unique name and/or number to each employee or workforce member who uses a system that maintains electronic protected health information (ePHI), so that system access and activity can be identified and tracked. This rule pertains to workforce members within small or large healthcare provider offices, health plans, group health plans, and healthcare clearinghouses.
As required under Section 45 CFR 164.312(a)(2)(i) of HIPAA, all actions performed in athenaOne must be traceable to a specific individual. This helps us, and our practices, maintain the security and integrity of our systems.
Note: A non-person provider is an entity configured using the Providers page that refers to a scheduling resource (such as "Echocardiogram") or generic provider (such as "Nurse"). With athenaClinicals, if your practice has the "Assign Encounters to Practice Roles" feature enabled, you can associate a non-person provider with a practice role instead of with a username.
See also: Assign Encounters to Practice Role.
See also: athenaOne Login
After you create the user accounts, you can control the user's access level to both athenaOne functions and to the data itself. User access is a critical component for athenaOne data security, patient privacy compliance, and staff member accountability. User access levels control which athenaOne pages a staff member can access, what data a staff member can view and update, and which athenaOne functions a staff member can perform.
Each feature and function in athenaOne requires that the user have the required "user permission" to access the relevant page and perform the function. athenaOne bundles many of these user permissions into "roles," such as Receptionist, Billing Manager, and Privacy Administrator, to make it easier for you to assign the appropriate permissions for each user in your practice. You can use the Users page to assign roles and permissions to each user.
The following athenaOne pages give you control over user access to the data in your practice:
See also: View-Only Access
During implementation, your practice identifies a small number of "superusers" for your practice who are trained in all aspects of athenaOne. Your superusers will have access to view and change almost everything in your system, including the responsibility for granting access and privileges to other users. For this reason, it is important that you keep the number of superusers small and that these superusers be your most trusted and capable employees.
When a superuser leaves your practice, it is a good security practice to have every user change his or her password. You should also periodically ensure that you can link every user account to an authorized person.
After your staff members receive usernames, you can create user groups so that you can easily send messages containing information relevant to the various groups or departments within your practice. For example, you may want to send a message to all the providers in your practice, or to all the members of your billing staff. Use the User Groups page to create user groups, and use the User Group Membership page to add users to a group.