Compliance and IAM remain pain points
- Industry voices warn that compliance, identity-access management, and audits are persistent backend problems beyond clinician usability complaints. - Posts highlight risks including HITRUST, federal audits, and Epic zero-touch provisioning (ZTP) creating data and HIE reliability issues. - These operational burdens mean informatics roles increasingly require governance, security awareness, and vendor-configuration skills as well as workflow fluency ( ).
Healthcare IT workers are arguing that the hardest electronic health record problems are no longer just screen design; they are access control, audits, and compliance work behind the scenes. (hhs.gov) Identity and access management is the system that decides who gets into which application, with which permissions, and for how long. In healthcare, that includes making sure employees, contractors, and vendors get only the access needed for their jobs and no more. (hhs.gov) Federal regulators already treat those controls as an audit issue, not a back-office preference. The HHS Office for Civil Rights says its HIPAA Audit Program examines compliance mechanisms, and its audit protocol is organized around privacy, security, and breach-notification requirements. (hhs.gov, hhs.gov) That scrutiny has intensified as cyberattacks on hospitals have mounted. On November 21, 2024, the HHS Office of Inspector General said the Office for Civil Rights should strengthen its HIPAA audit program to better protect electronic protected health information. (oig.hhs.gov) Private-sector certification adds another layer. HITRUST says its assessment handbook sets requirements and expectations for certification, while vendors including Microsoft publish product-by-product guidance on mapping identity controls to HITRUST and HIPAA requirements. (hitrustalliance.net, learn.microsoft.com) Inside Epic environments, the access problem gets even more specific. Epic’s own marketplace says user and provider identity tools rely on role-based access controls, automatic linking of user and provider records, and provisioning blueprints for provider records. (showroom.epic.com) That is why hospitals often bolt governance software onto Epic instead of relying on manual setup alone. SailPoint and One Identity both market Epic integrations around provisioning, attestation, identity audit, and entitlement management for EMP user accounts and SER provider accounts. (sailpoint.com, support.oneidentity.com) The data-sharing stakes are larger than one hospital login. HHS says a health information exchange lets more than two unaffiliated entities share electronic protected health information, and the federal Trusted Exchange Framework and Common Agreement, or TEFCA, is meant to make that exchange secure and available across networks. (hhs.gov, healthit.gov) When identity data is wrong, late, or misconfigured, those exchange promises get harder to keep. ONC says TEFCA is designed to make health information available across care settings, which means provisioning and governance errors can spill into treatment access, patient matching, and network trust decisions. (healthit.gov) The result is a job description shift for informatics and EHR teams. Alongside workflow design and clinician support, organizations now need staff who can read audit requirements, manage role-based access, and configure vendor tools tightly enough to satisfy both operations and regulators. (hhs.gov, showroom.epic.com)
