YORK, PA — WellSpan Health complies with HIPAA security rules by dealing with user accounts in minutes, thanks to its provisioning technology.

Before the provisioning system was in place, the IT staff of this Pennsylvania-based hospital network often would spend several months creating or terminating accounts, a protracted timeframe that could lead to security vulnerabilities.

“We had a lot of user IDs to maintain and (we) were getting more requests for access to our EMR data,” said William J. Gillespie, WellSpan’s vice president and CIO. “HIPAA came about, and we needed a timely termination of user ID accounts.  It was hard for our small IT security staff to keep up with the maintenance of the system.”

After the advent of HIPAA regulations and the hospital network’s acquisition of other health information technologies, WellSpan Health invested in Courion’s Enterprise Provisioning to control user access for the network’s 8,000 employees.

Gillespie says WellSpan Health is no longer overwhelmed by the time needed to create new user accounts or delete obsolete files.

“Healthcare organizations should not just add IT security staff. They need to invest in these tools to maintain a timely management of user accounts,” he said.

Children’s Hospital Boston purchased provisioning technology from Courion in 2003 to manage its fluctuating user numbers.

“We can have as many as 500 people per day that access our network, mostly residents and interns,” said David Leary, systems manager at Children’s Hospital Boston. “We needed to make sure that people have the accounts they need to deliver clinical care.”

Healthcare is a growing market for provisioning vendors. Deborah Pappas, vice president of marketing at Courion, says that almost 25 percent of Courion’s clients are healthcare-related. Courion and other vendors such as Sentillion and Fischer International offer Web-based subscription services that create profiles, manage access changes and facilitate new application compliance with hospitals’ systems.

Enabling hospital IT staff to control who has network access is key, said Robert Seliger, Sentillion’s CEO.

“The IT staff defines the rules in allowing end-user access,” he said. “It enables centralized control but distributed use.”