• Home
  • Blog
  • Contact

Call us toll free 0800 0000 900

support@hipaa.com
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Access Control: What This HIPAA Security Rule Technical Safeguard Standard Means

June 2, 2009 HIPAA Law No Comments

This is the first Technical Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has four implementation specifications:  unique user identification; emergency access procedure; automatic logoff; and encryption and decryption. The first two are required; the last two are addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. As we have noted in earlier postings on HIPAA.com, business associates of covered entities will be required to comply with the Security Rule safeguard standards, beginning February 17, 2010. This requirement is one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009.

For compliance with this Technical Safeguard Standard, a covered entity is required to implement technical policies and procedures for electronic information systems that maintain electronic protected health information, allowing access only to those persons or software programs that have been granted access rights as specified in the Administrative Safeguard Standard:  Information Access Management.

This standard means that a covered entity’s Security Official must establish policies and procedures that govern how its electronic information systems allow workforce members or software programs to access electronic protected health information. Procedures for access control will be though features associated with the covered entity’s electronic information systems, and may be part of a software application, operating systems, database, or a combination thereof. There are four commonly used approaches to controlling who has access to information and when access is available. These approaches use software tools to achieve access control, and vary from simple to complex. A covered entity will choose one of the following approaches based on outcomes of the covered entity’s risk analysis.

Access Control List (ACL)

The Security Official or designee (e.g., office manager or IT head) will control a workforce member’s access to specific applications.

User Based Access Control (UBAC)

The Security Official or designee will control a workforce member’s access based on the workforce member’s identity.

Role Based Access Control (RBAC)

The Security Official or designee will control a workforce member’s access based on the workforce member’s work role.  For example, a workforce member with multiple job functions would be assigned multiple roles and access rights.

Context Based Access Control (CBAC)

The Security Official or designee will enhance control of a workforce member’s access through context-based rights, such as restricting access to certain dates or times, or certain devices on the covered entity’s electronic information system or network.

The Context Based Access Control approach is relatively more complex than the preceding three approaches.

For additional information on access control, consult the National Institute of Standards and Technology (NIST) Interagency Report 7316, Assessment of Access Control Systems.

Tags: 20092010access controlaccess rightsACLaddressableAdministrative Safeguard StandardAmerican Recovery and Reinvestment ActARRAautomatic logoffbusiness associateCBACcovered entitydecryptionelectronic protected health informationemergency accessencryptionFebruary 17HIPAA Administrative SimplificationHIPAA Security RuleHITECH Actimplementation specificationInformation Access ManagementNational Institute of Standards and TechnologyNISTpolicies and proceduresPresident ObamaRBACreasonable and appropriaterequiredSecurity OfficialstandardTechnical SafeguardUBACunique user identificationworkforce member
No Comments
Share
0

You also might be interested in

Contingency Plan: Disaster Recovery Plan-What to Do and How to Do It

Apr 6, 2009

In our series on the HIPAA Administrative Simplification Security Rule,[...]

Contingency Plan: Sample Policy and Procedures

Apr 2, 2009

This is the seventh Administrative Safeguard Standard of the HIPAA[...]

Get Ready Now for Toughened HIPAA/HITECH Act Privacy and Security Rules and Enforcement, and Big Noncompliance Fines

Aug 17, 2011

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message

© 2023 · hipaa.com

Prev Next