Since you ask for their password, how can you prove any action taken with that account is really the nurse and not the administrator or someone else who knows the nurse credential?
How can you share passwords and still meet HIPAA requirements? From the HIPAA admin simplification document, section 164.312:
"Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity."
"(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed."
Does your facility treat MA residents? If you have PII from residents of MA, you may also want to review http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf, specifically 17.04(2)(b) which states:
"assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;"
The key word in those regulations is "unique." If more than one person can log in using the account, it is not a unique login.
If you need to convince management to support a policy change away from shared credentials, the threat of massive fines for HIPAA violations usually gets their attention.
Keep Up with TechRepublic