Overview:
Assign a unique name and/or number for identifying and tracking user identity.
Action Items:
1) Obtain and review policies and procedures regarding the assignment of unique user IDs. Evaluate the content of the policies and procedures in relation to the specified performance criteria to determine how user IDs are to be established and assigned.
2) Obtain and review documentation demonstrating the assignment, creation, and use of unique user IDs in electronic information systems for user. Evaluate and determine if users are assigned a unique ID in accordance with the entity's policies and procedures for attributing new user IDs.
Related Documents:
1) Policies and procedures regarding the assignment of unique user IDs.
2) Documentation demonstrating the assignment, creation, and use of unique user IDs in electronic information systems for user.
Additional Guidance:
User identification is a way to identify a specific user of an information system, typically by name and/or number. A unique user identifier allows an entity to track specific user activity when that user is logged into an information system. It enables an entity to hold users accountable for functions performed on information systems with EPHI when logged into those systems.
The Rule does not describe or provide a single format for user identification. Covered entities must determine the best user identification strategy based on their workforce and operations. Some organizations may use the employee name or a variation of the name (e.g. jsmith). However, other organizations may choose an alternative such as assignment of a set of random numbers and characters. A randomly assigned user identifier is more difficult for an unauthorized user (e.g., a hacker) to guess, but may also be more difficult for authorized users to remember and management to recognize. The organization must weigh these factors when making its decision. Regardless of the format, unlike email addresses, no one other than the user needs to remember the user identifier.
Sample questions for covered entities to consider:
- Does each workforce member have a unique user identifier?
- What is the current format used for unique user identification?
- Can the unique user identifier be used to track user activity within information systems that contain EPHI?
Article ID: 476
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-unique-user-identification-164-312-a-2-i-476.html