In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we have noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.
What to Do
Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
How to Do It
The covered entity should determine in the risk analysis which workforce members need access to electronic protected health information. Then, as an outcome of the risk analysis, the covered entity should define the covered entity’s policies for granting access to such information. An important component of the policies should be that workforce members who are granted access are only granted access to the minimum amount of electronic protected health information needed by a workforce member needed to complete assigned responsibilities. The covered entity should elaborate in each workforce member’s job description the need for access to electronic protected health information, responsibilities of such access, and any limits to such access.
The size of a covered entity will have an impact on access authorization. For example, a small physician practice or dental office may require that each workforce member have access to electronic protected health information, whereas in a large health plan payer organization, access may be limited to workforce members adjudicating claims.
The Security Official of the covered entity should jointly develop access authorization policies with the Privacy Official (if different) so that policies and procedures are consistent with the Security and Privacy Rules. In a small covered entity, the Security Official may be the person who authorizes access and establishes access (e.g., issues unique user ID and creates authentication requirements). In a large covered entity, the Security Official should authorize access, but information technology (IT) staff may establish access.
The Security Official of the covered entity should document and maintain access authorization records, including which workforce members are authorized access to electronic protected health information, levels of and any changes in such access, and times of access.
The Security Official should ensure that any person outside of the workforce, such as a computer hardware or software vendor or consultant, with access to the covered entity’s systems containing electronic protected health information, should be subject to a business associate agreement and counseled on the covered entity’s security policies and procedures.