In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Technical Safeguard Standard, Access Control. This implementation specification is required. As we noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.
What to Do
Assign a unique name and/or number for identifying and tracking user identity.
How to Do It
The covered entity should establish a policy whereby its Security Official assigns unique user identification to each workforce member. This ID can be alpha, numeric, or a combination thereof. The Security Official or his designee (e.g., office manager or IT head) should manage and track user identity, especially when new workforce members are employed, current workforce members change jobs or roles within jobs, or when a workforce member changes a name.
If the covered entity uses the access control list (ACL) approach to access control, then the covered entity should assign a unique username and password for login to its electronic information system or network and applications. If the covered entity uses a role based access control (RBAC) or user based access control (UBAC) approach, then the covered entity should assign access controls based on roles (RBAC) or rules to govern how workforce members access information (UBAC). The covered entity’s software and system vendors can help in these assignments.
The covered entity should change passwords according to the timetable established in its policies and procedures. The timetable will be dictated by outcomes of the covered entity’s risk analysis. The covered entity should consider passwords containing at least seven alphanumeric characters to make them difficult to guess or decode.