In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we have noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010.
What to Do
Implement policies and procedures that, based upon the covered entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
How to Do It
The covered entity should develop a procedure for periodically reviewing and modifying a workforce member’s right of access to workstations, transactions, programs, and processes of the covered entity that contain electronic protected health information. Such modifications should be based on changes in job responsibilities for workforce members of the covered entity. Any changes should be documented in writing, and all documentation should be maintained for at least six years from the date of any changes.
The Security Official should be responsible for documenting and maintaining access authorization records of workforce members authorized access to systems containing electronic protected health information. The Security Official should be responsible for counseling and providing any discipline to workforce members who alter, modify, or in any way change electronic protected health information without authorization. The Security Official also should provide periodic reminders to the workforce pertaining to system access.
The Security Official should ensure that any person outside of the workforce, such as a computer hardware or software vendor or consultant, with access to the covered entity’s systems containing electronic protected health information, should be subject to a business associate agreement and counseled on the covered entity’s security policies and procedures.