(2) Implementation specifications:
(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.
Tell Me More:
The Unique User Identification implementation specification of the Access Control standard requires covered entities to assign a unique name and/or number for identifying and tracking user identity. Username/password combinations, digital signatures, soft tokens, biometrics as well as other mechanisms can be used to implement this requirement. This implementation specification effectively prohibits the sharing of user names between employees in most situations.
Each covered entity and business associate must have the technical ability to assign unique identifiers for each user – person or machine. Entity identification may be necessary at the workstation, program or process, or record level, depending on the structure of the organization and its workforce.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Does the organization have appropriate technical systems in place to allow for the assignment of unique user identifiers? Note that actual assignment and use of identifiers is addressed under administrative safeguards.
- Can the technical systems be configured to grant access at various levels depending on the job function of each user? It may be necessary to control access at the program, process, or record level, depending on the data involved and the needs of each user?
- NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-56 Recommendation on Key Establishment Schemes
- NIST SP 800-57 Recommendation on Key Management
- NIST SP 800-63 Recommendation for Electronic Authentication
- FIPS 140-2 Security Requirements for Cryptographic Modules
- NIST SP800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
- NIST SP800-77 Guide to IPsec VPNs
- NIST SP800-88 Guidelines for Media Sanitization
- NIST SP800-111 Guide to Storage Encryption Technologies for End User Devices
- NIST SP800-113 Guide to SSL VPNs