Overview:
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
Action Items:
1) Obtain and review policies and procedures related to access control. Evaluate the content relative to the specified performance criteria to determine if EPHI is only accessible to authorized persons or software programs. Elements to review may include but are not limited to: Identification of the capabilities of electronic information system access controls (i.e., read-only, modify, full access); Identification of the type of access controls implemented for the electronic information systems; Identification of how system and generic IDs/accounts are implemented, managed and controlled by technical access controls; Workforce members’ roles and responsibilities regarding the capabilities to add, modify, or delete user access; The frequency of review and verification of user access to electronic information systems that maintain ePHI; The frequency of review and verification of software program access to electronic information systems that maintain ePHI; How is removed upon termination or modified upon change of position
2) Obtain and review documentation demonstrating the implementation of access controls for electronic information systems that maintain EPHI. Evaluate and determine if the electronic information systems have the capacity to enable access controls; if access controls can be enabled, are the enabled access controls configured in accordance with the access control policies and procedures; and how are the electronic information systems' technical access capabilities defined (i.e., read-only, modify, full-access).
3) Obtain and review documentation demonstrating a list of new workforce members from the electronic information system who was granted access to EPHI. Obtain and review documentation demonstrating the access levels granted to new workforce members. Evaluate and determine whether workforce members' access was approved; review the new workforce members’ technical access granted and compare it to approved user access to determine that technical access is approved and granted in accordance with the access authorization requirements.
4) Obtain and review documentation of a list of users with privileged access. Evaluate and determine whether the privileged access is appropriate based on the access control policies.
5) Obtain and review a list of default, generic/shared, and service accounts from the electronic information systems with access to EPHI. Obtain and review documentation demonstrating the access levels granted to default, generic/shared, and service accounts. Evaluate and determine if the default, generic/shared, and service accounts are in use and that access has been approved and granted in accordance with the access authorization requirements.
6) Obtain and review documentation demonstrating that periodic reviews of procedures related to access controls have been conducted. Evaluate and determine whether reviews have been performed of user access levels and evaluate the content in relation to the specified performance criteria.
7) Obtain and review documentation demonstrating a list of terminations and job transfers. Obtain documentation demonstrating the removal or modification of user access levels. Evaluate and determine whether user access level removal or modification was approved and performed in accordance with the related policies and procedures.
Related Documents:
1)Policies and procedures related to access control.
2) Documentation demonstrating the implementation of access controls for electronic information systems that maintain ePHI.
3) Documentation demonstrating a list of new workforce members from the electronic information system who was granted access to ePHI.
4) Documentation demonstrating the access levels granted to new workforce members.
5) Documentation of a list of users with privileged access.
6) List of default, generic/shared, and service accounts from the electronic information systems with access to ePHI.
7) Documentation demonstrating the access levels granted to default, generic/shared, and service accounts.
8) Documentation demonstrating that periodic reviews of procedures related to access controls have been conducted.
9) Documentation demonstrating a list of terminations and job transfers.
10) Documentation demonstrating the removal or modification of user access levels.
Additional Guidance:
A covered entity can comply with this standard through a combination of access control methods and technical controls. There are a variety of access control methods and technical controls that are available within most information systems. The Security Rule does not identify a specific type of access control method or technology to implement.
Regardless of the technology or information system used, access controls should be appropriate for the role and/or function of the workforce member. For example, even workforce members responsible for monitoring and administering information systems with EPHI, such as administrators or super users, must only have access to EPHI as appropriate for their role and/or job function.
Article ID: 475
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-access-control-164-312-a-1-475.html