(a) A covered entity must, in accordance with § 164.306:

(4)(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

The information access management standard has three(3) implementation specifications:

  • (A) Isolating health care clearinghouse functions (Required).
  • (B) Access authorization (Addressable).
  • (C) Access establishment and modification (Addressable).
Series Navigation<< 164.308(a)(1)(i) Administrative safeguards – Standard: Security management process164.312 Technical safeguards >>