(2) Implementation specifications:

(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.

Tell Me More:

The Unique User Identification implementation specification of the Access Control standard requires covered entities to assign a unique name and/or number for identifying and tracking user identity. Username/password combinations, digital signatures, soft tokens, biometrics as well as other mechanisms can be used to implement this requirement. This implementation specification effectively prohibits the sharing of user names between employees in most situations.

Each covered entity and business associate must have the technical ability to assign unique identifiers for each user – person or machine. Entity identification may be necessary at the workstation, program or process, or record level, depending on the structure of the organization and its workforce.

A complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Does the organization have appropriate technical systems in place to allow for the assignment of unique user identifiers? Note that actual assignment and use of identifiers is addressed under administrative safeguards.
  • Can the technical systems be configured to grant access at various levels depending on the job function of each user? It may be necessary to control access at the program, process, or record level, depending on the data involved and the needs of each user?

References:

Series Navigation<< 164.310(a)(1) Physical safeguards – Standard: Facility access controls164.308(b)(1) Administrative safeguards – Standard: Business associate contracts and other arrangements >>