Skip to Content

HIPAA - Access Establishment and Modification 164.308(a)(4)(ii)(C)

446  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
Implement policies and procedures that, based upon the covered entity’s or the business associate’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.


Action Items:
1) Obtain and review the policies and procedures. Evaluate their content relative to the specified performance criteria for authorizing access, and for documenting, reviewing, and modifying a user's right of access to a workstation, transaction, program, or process.
2) Obtain and review documentation regarding individuals whose access to information systems has been reviewed based on access authorization policies. Evaluate and determine whether individuals' access has been reviewed and recertified in a timely manner by the appropriate personnel.
3) Obtain and review documentation demonstrating individuals whose access to information systems has been modified based on access authorization policies. Evaluate and determine whether modification of access to information systems is acceptable and modification of individuals' access to information systems was completed and approved by appropriate personnel.


Related Documents:
1) Documentation regarding individuals whose access to information systems has been reviewed based on access authorization policies.
2) Documentation demonstrating individuals whose access to information systems has been modified based on access authorization policies.


Additional Guidance:
This means that a covered entity must implement and manage the creation and modification of access privileges to workstations, transactions, programs or processes. Responsibility for this function may be assigned to a specific individual or individuals, which also may be responsible for terminating access privileges for workforce members. Covered entities must evaluate existing procedures, update them (if needed), and document procedures as necessary.


Sample questions for covered entities to consider:
- Are policies and procedures in place for establishing access and modifying access?
- Are system access policies and procedures documented and updated as necessary?
- Do members of management or other workforce members periodically review the list of persons with access to EPHI to ensure they are valid and consistent with those authorized?
Not Rated
Secure Code