HIPAA - Information Access Management 164.308(a)(4)(i)

Overview:
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

Action Items:
1) Obtain and review the policies and procedures to determine that they reasonably and appropriately restrict access to only those persons and entities with a need for access. Also obtain entity’s policies and procedures related to minimum necessary [45 CFR 164.502(b)] and safeguards [45 CFR 164.514(d)] to determine that the policies and procedures subject to this inquiry support an entity’s compliance with the minimum necessary requirement and safeguards requirement that limit unnecessary or inappropriate access to and disclosure of protected health information.

Related Documents:
1) Policies and procedures to determine that they reasonably and appropriately restrict access to only those persons and entities with a need for access.

Additional Guidance:
Restricting access to only those persons and entities with a need for access is a basic tenet of security. By implementing this standard, the risk of inappropriate disclosure, alteration, or destruction of EPHI is minimized. Covered entities must determine those persons and/or entities that need access to EPHI within their environment.

Compliance with this standard should support a covered entity’s compliance with the HIPAA Privacy Rule minimum necessary requirements, which requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. To better understand this standard, covered entities should review the minimum necessary standard of the HIPAA Privacy Rule. See 45 CFR 164.502(b) and 164.514(d).

The Information Access Management standard has three implementation specifications:
1. Isolating Health Care Clearinghouse Functions
2. Access Authorization
3. Access Establishment and Modification