FacebookTwitterLinkedInEmailPrint
This entry is part 53 of 59 in the series Complete Guide to HIPAA Security Final Rule

(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Tell Me More:

The objective of the Person or Entity Authentication standard / implementation specification is to implement procedures to verify that a person or entity seeking access to electronic protected health information (EPHI) is the one claimed. This standard is the implementation specification.

Authentication is typically the first step in gaining access to the system. Authentication is the process of “proving” your identity. A system needs to authenticate users to a degree appropriate for the level of risk/threat that an authenticated user represents.  For example, typing a username and a password is an example of authenticating yourself as a user on the system.

Covered entities must have in place appropriate technical processes to authenticate the identity of each person or entity (usually another computer or process) accessing or attempting to access PHI. This access can be at the workstation or program level, depending on the requirements of the organization. These technical processes usually require persons and entities to provide a password, a physical identification (e.g., a token) or biometric identification. Access of individuals is implemented through the administrative policies and procedures related to the use of passwords and individual access to ePHI. Similar policies and procedures must be in place to authenticate entities to ensure that ePHI is only shared with appropriate, authorized entities.

Many different mechanisms may be used to authenticate persons or entities, and the final rule reflects this fact by not incorporating a list of implementation specifications, in order to allow covered entities to use whatever is reasonable and appropriate. “Digital signatures” and “soft tokens” may be used, as well as many other mechanisms, to implement this standard.

When considering authentication solutions, it is important to consider the criticality and sensitivity of information.  Using a simultaneous combination of authentication mechanisms, called multifactor authentication, can help to mitigate against risks to circumventing authentication controls.  An example of this approach is to require a fingerprint scan (biometric) followed by the entering of a password rather than just one or the other.  In this case, a compromised password would be rendered useless since a matching fingerprint is required, and a forged fingerprint alone would not achieve an attacker’s goals if the password was not also known.  While this approach provides solid authentication, care should be taken to balance the level of assurance needed with associated financial and performance costs.

complete set of HIPAA Security Policies and Procedures may be purchased here.

Questions to consider:

  • Has the organization implemented policies and procedures instructing workforce members to not allow other persons or entities to use their unique authentication information to access systems or applications containing ePHI?
  • Has the organization implemented policies and procedures to instruct workforce members to ensure they verify the identity of the receiving person or entity prior to transmitting ePHI?
  • Are appropriate measures in place to authenticate the identity of each person accessing or attempting to access PHI?
  • Are appropriate measures in place to authenticate the identity of each entity accessing or attempting to access PHI?
  • Has the organization implemented procedures to verify that a person or entity seeking electronic access to ePHI is the one claimed?  (e.g., biometrics, password, PINs, telephone callbacks or tokens)?

References:

Series Navigation<< 164.310(c) Physical safeguards – Standard: Workstation security164.312(a)(2)(iii) Standard: Access control – Automatic logoff >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.
 
FacebookTwitterLinkedInEmailPrint