This entry is part 10 of 59 in the series Complete Guide to HIPAA Security Final Rule

(2) Implementation specifications:

(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.

Tell Me More:

The Unique User Identification implementation specification of the Access Control standard requires covered entities to assign a unique name and/or number for identifying and tracking user identity. Username/password combinations, digital signatures, soft tokens, biometrics as well as other mechanisms can be used to implement this requirement. This implementation specification effectively prohibits the sharing of user names between employees in most situations.

Each covered entity and business associate must have the technical ability to assign unique identifiers for each user – person or machine. Entity identification may be necessary at the workstation, program or process, or record level, depending on the structure of the organization and its workforce.

A complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Does the organization have appropriate technical systems in place to allow for the assignment of unique user identifiers? Note that actual assignment and use of identifiers is addressed under administrative safeguards.
  • Can the technical systems be configured to grant access at various levels depending on the job function of each user? It may be necessary to control access at the program, process, or record level, depending on the data involved and the needs of each user?


Series Navigation<< 164.310(a)(1) Physical safeguards – Standard: Facility access controls164.308(b)(1) Administrative safeguards – Standard: Business associate contracts and other arrangements >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.