(ii) Implementation specifications:

(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

Tell Me More:

Authorization is the act of determining whether a particular user (or computer system) has the right to carry out a certain activity, such as reading a file or running a program.  For the authorization and/or supervisionimplementation specification, covered entities should address implementing procedures for the authorization and/or supervision of workforce members who work with electronic protected health information (EPHI) or in locations where it might be accessed.

Authentication is proving that a user is whom s/he claims to be. Authentication and authorization go hand in hand. Based upon the results of your risk analysis, your organization may need to assure that users must be authenticated before carrying out the activity they are authorized to perform. (See also Standard: Person or Entity Authentication)

These procedures are documented formal procedures and instructions for the oversight of maintenance personnel when the workforce is near health information pertaining to an individual. Policies and procedures must be in place for determining the access level to be granted to individuals working on, or near, health information.

Workforce members, such as operations and maintenance personnel, must either be supervised or have authorization when working with electronic PHI or in locations where it resides. Covered entities can decide on the feasibility of meeting this specification based on their risk analysis.

Covered entities should address implementing procedures for the authorization and/or supervision of workforce members who work with or near electronic protected health information (EPHI).

Questions to consider:

  • Is there a procedure for determining which employees and groups of employees have access to specific ePHI and other PHI? If not, one will have to be implemented.
  • Who manages granting, modifying (when responsibilities change), and terminating access to systems, applications, databases and directories that contain ePHI and other PHI? Is the person who responsible for authorizing access different from the person responsible for granting access to ePHI and other PHI? The roles of each individual involved in this process should be clearly defined.
  • Are reasonable efforts made to identify and authenticate employees prior to their obtaining access to ePHI and other PHI? It may be necessary to change procedures to ensure this is accomplished.
  • Are access authorization records maintained? Part of your HIPAA documentation should include such records.

A complete set of HIPAA Security Policies and Procedures may be purchased here.

 

References:

Series Navigation<< 164.308(a)(7)(ii)(D) Standard: Contingency plan – Testing and revision procedures164.310(a)(2)(ii) Standard: Facility access controls – Facility security plan >>