This is the fourth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has three implementation specifications: Isolating Healthcare Clearinghouse Functions; Access Authorization; and Access Establishment and Modification. The first is required; the second and third are addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.
The covered entity is required to implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of the HIPAA Administrative Simplification Privacy Rule. The Information Access Management Administrative Safeguard ensures that a covered entity has a management system in place to authorize workforce members to have access to electronic protected health information via a “workstation, transaction, program, process, or other mechanism.” [68 Federal Register 8377] The required Isolating Healthcare Clearinghouse implementation specification may not have a direct relevance to a covered entity, but may have indirect relevance if the covered entity uses a clearinghouse under a business associate agreement. The two other implementation specifications of the Information Access Management Administrative Safeguard—Access Authorization and Access Establishment and Modification—recognize that there are alternatives to complying with this standard based on the covered entity’s size and degree of automation.