This is the first Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has four implementation specifications: unique user identification; emergency access procedure; automatic logoff; and encryption and decryption. The first two are required; the last two are addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.
For compliance with this Technical Safeguard Standard, a covered entity is required to implement technical policies and procedures for electronic information systems that maintain electronic protected health information, allowing access only to those persons or software programs that have been granted access rights as specified in the Administrative Safeguard Standard: Information Access Management.
This standard means that a covered entity’s Security Official must establish policies and procedures that govern how its electronic information systems allow workforce members or software programs to access electronic protected health information. Procedures for access control will be though features associated with the covered entity’s electronic information systems, and may be part of a software application, operating systems, database, or a combination thereof. There are four commonly used approaches to controlling who has access to information and when access is available. These approaches use software tools to achieve access control, and vary from simple to complex. A covered entity will choose one of the following approaches based on outcomes of the covered entity’s risk analysis.
Access Control List (ACL)
The Security Official or designee (e.g., office manager or IT head) will control a workforce member’s access to specific applications.
User Based Access Control (UBAC)
The Security Official or designee will control a workforce member’s access based on the workforce member’s identity.
Role Based Access Control (RBAC)
The Security Official or designee will control a workforce member’s access based on the workforce member’s work role. For example, a workforce member with multiple job functions would be assigned multiple roles and access rights.
Context Based Access Control (CBAC)
The Security Official or designee will enhance control of a workforce member’s access through context-based rights, such as restricting access to certain dates or times, or certain devices on the covered entity’s electronic information system or network.
The Context Based Access Control approach is relatively more complex than the preceding three approaches.
For additional information on access control, consult the National Institute of Standards and Technology (NIST) Interagency Report 7316, Assessment of Access Control Systems.