• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Information Access Management: Access Establishment and Modification-What to Do and How to Do It

February 27, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is addressable. Remember, addressable does not mean “optional.”  Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we have noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.

What to Do

Implement policies and procedures that, based upon the covered entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

How to Do It

The covered entity should develop a procedure for periodically reviewing and modifying a workforce member’s right of access to workstations, transactions, programs, and processes of the covered entity that contain electronic protected health information. Such modifications should be based on changes in job responsibilities for workforce members of the covered entity. Any changes should be documented in writing, and all documentation should be maintained for at least six years from the date of any changes.

The Security Official should be responsible for documenting and maintaining access authorization records of workforce members authorized access to systems containing electronic protected health information. The Security Official should be responsible for counseling and providing any discipline to workforce members who alter, modify, or in any way change electronic protected health information without authorization. The Security Official also should provide periodic reminders to the workforce pertaining to system access.

The Security Official should ensure that any person outside of the workforce, such as a computer hardware or software vendor or consultant, with access to the covered entity’s systems containing electronic protected health information, should be subject to a business associate agreement and counseled on the covered entity’s security policies and procedures.

Tags: 20092010Access AuthorizationAccess Establishment and ModificationaddressableAdministrative Safeguard StandardAmerican Recovery and Reinvestment Act of 2009business associatebusiness associate agreementdocumentationelectronic protected health informationFebruary 17HIPAA Administrative Simplification Security Ruleimplementation specificationInformation Access ManagementRight of AccessSecurity Officialtransactionworkforceworkstation
No Comments
Share
0

You also might be interested in

HHS’s HIT Policy Committee Releases Draft Recommendations on Meaningful Use for Public Comment

Jun 22, 2009

The HITECH Act of the American Recovery and Reinvestment Act[...]

Exploring HIPAA and HITECH Act Definitions: Part 14

Dec 21, 2009

From now through December, HIPAA.com is providing a run through[...]

Finally, HIPAA/HITECH Act Privacy, Security, Breach Notification, Enforcement Final Rules at OMB

Mar 24, 2012

March 24, 2012.   Today, the Office of Information and Regulatory[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next