There are three key aspects to keep in mind regarding NaviNet users: getting the right users on NaviNet, making sure users have their own unique username, and removing users when they no longer use NaviNet.
- The right users. Make NaviNet available to all users who transact at least a few times a month. Many places in the practice or office are obvious: front desk and billing departments, for instance. But NaviNet also has referrals and authorizations for many health plans, and almost all practice roles must look up patient benefits at some point. We recommend that you get a wide variety of people to use NaviNet, each with a focus on the specific transactions that fit their role.
Do not add users from third parties that you contract with, such as billing or credentialing agencies. Third parties must create their own NaviNet account.
- Unique usernames. This is extremely important—it is required by HIPAA, and it also makes NaviNet work more smoothly in the office. HIPAA requires that each individual person have a unique username and password, and that they never be shared, so the security officer is expected to make this the standard office policy for NaviNet users. NaviNet enforces this with a practice that if a second person logs in with the same username, the first person logged in with that username is automatically logged out. If it looks like NaviNet is “always going down” or “always timing out” in your office, it might be because users are sharing usernames and trying to log in at the same time. Giving all users their own usernames solves this problem.
- Removing users. Ensure that you terminate user accounts when an individual NaviNet user leaves the practice or no longer needs to use NaviNet. Having people outside your practice access NaviNet and view PHI is considered a HIPAA violation that your office is responsible for. Human resources must notify security officers when employees leave the practice so they can terminate the user account. Security officers must also periodically review the list of active users to see if there are any accounts that should be terminated.