Overview:
Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
Action Items:
1) Obtain and review policies and procedures related to the authorization and/or supervision of workforce members. Evaluate the content in relation to the specified performance criteria and determine that appropriate authorization and/or supervision of workforce members who work with EPHI or in a location where it might be accessed is incorporated in the process.
2) Obtain and review documentation regarding how requests for information systems that contain EPHI and access to EPHI are processed. Evaluate and determine if appropriate authorization and/or supervision for granting access to information systems that contain EPHI is incorporated in the process and is in accordance with related policies and procedures. Elements to review may include but are not limited to: Identification of who has the authorization and/or supervisory permission to approve access to information systems and/or locations where ePHI may be accessed; How access requests to information systems are submitted; How access to the information systems is granted; How requests to access ePHI are submitted; How access to ePHI is granted; How authorization and/or supervisory approvals are verified; How a workforce member’s level of access to ePHI is verified.
3) Obtain and review documentation demonstrating how access requests to locations where EPHI might be accessed are processed. Evaluate and determine if appropriate authorization for granting access to locations where EPHI might be accessed is incorporated in the process and is in accordance with related policies and procedures. Elements to review may include but are not limited to: How access requests to locations are submitted; How access requests to locations are granted; How authorization and/or supervisory approvals are verified; How a workforce member’s level of access to a location is verified
4) Obtain and review documentation of workforce members who were authorized access to EPHI or locations where EPHI might be accessed and organizational charts/lines of authority. Evaluate and determine if access requests were properly authorized in accordance with the entity's related policies and procedures and in accordance with established lines of authority.
Related Documents:
1) Policies and procedures related to the authorization and/or supervision of workforce members.
2) Documentation regarding how requests for information systems that contain ePHI and access to ePHI are processed.
3) Documentation demonstrating how access requests to locations where ePHI might be accessed are processed.
4) Documentation of workforce members who were authorized access to ePHI or locations where ePHI might be accessed and organizational charts/lines of authority.
Additional Guidance:
Authorization is the process of determining whether a particular user (or a computer system) has the right to carry out a certain activity, such as reading a file or running a program. Implementation of this addressable implementation specification will vary among covered entities, depending upon the size and complexity of the workforce, and the information systems that contain EPHI. For example, in a very small provider office, all staff members may need to access all EPHI in their information system, since they may perform multiple functions. In this case, the covered entity might document the reasons for implementing policies and procedures allowing this kind of global access. If the documented rationale is reasonable and appropriate, this may be an acceptable approach.
To determine the most reasonable and appropriate authorization and/or supervision procedures, covered entities may want to ask some basic questions about existing policies and procedures.
Sample questions for covered entities to consider:
- Are detailed job descriptions used to determine what level of access the person holding the position should have to EPHI?
- Who has or should have the authority to determine who can access EPHI, e.g., supervisors or managers?
- Are there similar existing processes used for paper records that could be used as an example for the EPHI?
Article ID: 440
Created: September 28, 2022
Last Updated: September 28, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-authorization-and-or-supervision-164-308-a-3-ii-a-440.html