FacebookTwitterLinkedInEmailPrint
This entry is part 27 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

(C) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

Tell Me More:

Once access has been authorized, the covered entity needs to consider creating and implementing policies and procedures to establish that access and to modify that access in the future as needed.  The objective of theAccess Establishment and Modification implementation specification is to implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

Access establishment is about security policies and rules that determine an entity’s initial right of access to a terminal, transaction, program, process, or some other user.  Access modification is about security policies and rules that determine the types of, and reasons for, modification to an entity’s established right of access, to a terminal, transaction, program, process, or some other user.

Access establishment and modification should not be mandated but rather suggested as a means of complying. These specifications for access authorization and access establishment and modification are addressable. The degree to which these specifications will be implemented will have to be based, among other issues, on the organization’s size, risk analysis and risk management strategy, cost, technical infrastructure and complexity, and degree of automation.  A covered entity with a fully automated technical infrastructure spanning multiple locations and involving hundreds or thousands of employees may determine it needs to adopt a formal policy for access authorization, while a small provider may decide that a desktop standard operating procedure will meet the specifications.

The procedures should describe how access is actually implemented through the use of various systems and procedures, including passwords and card keys. An authentication policy will establish trust through an effective password policy, and by setting guidelines for remote location authentication and the use of authentication devices (e.g., one-time passwords and the devices that generate them). An accountability policy defines the responsibilities of users, operations staff, and management. It should specify an audit capability, and provide incident handling guidelines as appropriate.

The organization should monitor access to ensure individuals have access to the ePHI they need and no more. If an individual has too little access, access should be authorized and expanded. If they have too much access, access needs to be restricted.  The Security rule does not dictate a particular access control mechanism, however, user-based, role-based, and context-based access control procedures are the most prevalent and widely used.  Consistent access management is a critical component in having effective security.  Ensuring that workforce members and other users only have privileges required to perform their job functions mitigates a great deal of risk, as the greatest threat to security has always been the insider.

Questions to consider:

  • Does the organization monitor access to ePHI and modify access on an ongoing basis?
  • Is the organization exercising care not only when establishing access, but ensuring a process is in place to regularly review privileges to ensure they are consistent with an employee’s job function needs?
  • Does the organization employ the principles of least privilege, separation of duties, and need-to-know in making access determinations?
  • Is the organizations using role- and/or context-based access controls to ease administrative burdens (especially in larger environments)

References:

Series Navigation<< 164.308(a)(1)(ii)(D) Standard: Security management process – Information System Activity Review164.308(a)(5)(ii)(C) Standard: Security awareness and training – Log-in monitoring >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.
 
FacebookTwitterLinkedInEmailPrint