Overview:
Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
Action Items:
1) Obtain and review policies and procedures. Evaluate the content relative to the specified performance criteria for granting access, including whether authority to grant access and the process for granting access has been incorporated. Elements to review may include but are not limited to: Workforce members or roles required to approve request to create information system accounts; Procedures to create enable, modify, disable, and remove information system accounts; Determination of what the authorization of access is based on
2) Obtain and review documentation associated with granting of access to ePHI (i.e., paper or electronic request). Evaluate and determine if the procedures for granting access to ePHI are in accordance with related policies and procedures.
3) Obtain and review documentation of newly hired workforce members' access to ePHI. Evaluate documentation to determine the granting of access to ePHI, including whether the levels of access they have to systems containing, transmitting, or processing ePHI, are appropriate.
Related Documents:
1) Documentation associated with granting of access to ePHI (i.e., paper or electronic request)
2) Documentation of newly hired workforce members' access to ePHI.
Additional Guidance:
Once the covered entity has determined that the person or system is authorized, there are numerous ways to grant access to EPHI. In general, a covered entity’s policies and procedures must identify who has authority to grant access privileges. It must also state the process for granting access. To create and document policies and procedures to grant access, covered entities should address the following questions.
Sample questions for covered entities to consider:
- How is authorization documented? How can it be used to grant access?
- Are the policies and procedures for granting access consistent with applicable requirements of the Privacy Rule?
- Have appropriate authorization and clearance procedures, as specified in workforce security, been performed prior to granting access?
- Are access rules specific to applications and business requirements? For example, do different workforce members require different levels of access based on job function?
- Is there a technical process in place, such as creating unique user name and an authentication process, when granting access to a workforce member?
Once a covered entity has clearly defined who should get access to what EPHI and under what circumstances, it must consider how access is established and modified.
Article ID: 445
Created: September 28, 2022
Last Updated: September 28, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-access-authorization-164-308-a-4-ii-b-445.html