In an earlier post in this series (HIPAA Audit Tips – OCR Audit Protocol – First Thoughts), we provided some initial thoughts on the OCR audit protocols for the HIPAA Security and Privacy and HITECH Breach Notification Rules.  We will continue to discuss these 77 Security and 88 Privacy/Breach protocols in this series, in our upcoming live webinars . Here’s today’s big tip – Check out the emphasis on 45 CFR 164.312(a)(1) Access Control Standard…

OCR HIPAA Audit Program – Access Control

In a nutshell, Access Control is about who makes what decisions how and when about who shall have what access to what resources – whew!

The HIPAA Security Access Control Standard

At § 164.312(a), under HIPAA Security Technical Safeguards, the Access Control Standard and four (4) Implementation Specifications are stated as follows:

A covered entity must, in accordance with § 164.306: 

(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

(2) Implementation specifications:

(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.

(ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

The OCR HIPAA Audit Program for Access Control

The Access Control is covered very thoroughly and, as we wrote last week, this great makes sense because in many organizations “Access Control” is out of control.  There are thirteen (13) specific Audit Procedures that not only cover the four Implementation Specifications but also provide good guidance and clarification as what organizations should be doing in this area.   Five of the thirteen map back to the four Access Control Implementation Specifications.  The remaining eight (8) Audit Procedures provide a broader framework on approach and support these  6 Key Activities (OCR Audit nomenclature) associated with these 8 protocols are:

  1. Analyze Workloads and Operations to Identify the Access Needs of All Users.
  2. Identify Technical Access Control Capabilities.
  3. Develop Access Control Policy.
  4. Implement Access Control Procedures Using Selected Hardware and Software.
  5. Review and Update User Access.
  6. Terminate Access if it is No Longer Required.

Each of the eight (8) Audit Procedures generally dive into: Inquiring of management as to whether formal or informal policy and procedures exist; Obtaining and reviewing formal or informal policy and procedures; Evaluating the content in relation to the specified performance; Acquiring and Reviewing lists and other artifacts to assure consistency of practice to requirements; and, Determining if the covered entity’s formal or informal policy and procedures have been approved and updated on a periodic basis.

We Boil It Down For You This Way

  1. Is it documented? (Have Policies, Procedures and Documentation?)
  2. Are you doing it? (Using, Applying, Practicing, Enforcing your own Policies and Procedures?)
  3. Is it Reasonable and Appropriate? (Comply with the implementation specification and in accordance with 45 CFR 164.306?)

All of these and other audit points have been designed into our HIPAA Security Assessment SaaS solution.  If you’re considering tools and approaches to reinvigorate your compliance program, we encourage you to see how this software can revolutionize your Privacy, Security, Compliance and Information Risk Management program in one of our live guided tours.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Tips – OCR Audit Protocol – First ThoughtsHIPAA Audit Tips – It's Not About The Audits! >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.