(ii) Implementation specifications:
(B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
Tell Me More:
For the Access Authorization implementation specification, covered entities and business associates must implement policies and procedures for granting access to electronic protected health information; for example, through access to a workstation, transaction, program, process, or other mechanism. This implementation might include information use policies and procedures that establish the rules for granting access to a terminal, transaction, program, process, or some other user.
Guidelines to follow when implementing policies and procedures for granting access to ePHI, include, but are not limited to the following:
- Most breaches of confidentiality result from poor personnel security, which is often the result of poorly designed or managed access authorization. Hence, your entity must ensure that access is limited so as to minimize this risk.
- HIPAA, its implementing regulations, other state and federal laws, professional ethics, and accreditation requirements specify that only those individuals with a need to access and use ePHI should have access to such information.
- Limiting access to those with a need to know and giving them no more access than necessary for performance of their duties will help [YOUR COMPANY’S NAME HERE] comply with the HIPAA Privacy regulation’s “minimum necessary” rule.
- Those with authorized access should have no more access than needed for the performance of their responsibilities.
- An emergency override may be necessary for some ePHI users, such as physicians and nurses, etc. to respond to emergencies.
- HIPAA, its implementing regulations, and good practice require screening of all personnel with access.
Each covered entity should consider developing and implementing policies and procedures for granting and maintaining privileges for individuals to access electronic confidential information. The Security Officer or some other individual should document and maintain such access authorization records. The covered entity should document authorization for access and level, defined time and document roles. When non-workforce personnel use the computer for maintenance or hardware installation, they need authorization, and should be required to sign and date the required documents (e.g., a confidentiality agreement).
Questions to consider:
- Does the organization grant access to ePHI for each individual within the organization based on the individual’s job functions? The organization must ensure that each individual has access to only the ePHI they need to perform their jobs.
- Does the organization control access to ePHI at the workstation, program, process, or records level, as appropriate? Each organization must evaluate the appropriate level at which to control access to ePHI. The larger the organization and the more ePHI it has, the greater the likelihood that more specific controls is necessary.
- NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-63 Recommendation for Electronic Authentication