This is the fourth Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. There is not a separately described implementation specification. Rather, this standard’s implementation specification is connoted in the language of the standard and is required. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.
For compliance with this Technical Safeguard Standard, a covered entity is required to implement procedures to verify that a person or entity seeking access to electronic protected health information is the person or entity claimed.
This standard means that a covered entity’s Security Official must establish policies and procedures that require a workforce member or business associate, such as the covered entity’s software or hardware vendor, to verify who or what entity seeks access to electronic protected health information. This standard requires more than just password management, and includes maintaining audit trails so that the covered entity can authenticate who or what entity is creating, reading, altering, destroying, or transmitting electronic protected health information. Procedures for authentication control will be though features associated with the covered entity’s electronic information systems, and may be part of a software application, operating systems, database, or a combination thereof. The Security Official should consult with its hardware and software vendors regarding authentication regarding its electronic media. A covered entity will should consider threats and vulnerabilities regarding authentication as part of its risk analysis.