Overview:
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Action Items:
1) Obtain and review policies and procedures regarding person or entity authentication. Evaluate if systems and applications requiring authentication have been identified and whether authentication procedures have been implemented for the systems and applications that require authentication. Elements to review may include but are not limited to: The authentication procedures for all systems and applications that access ePHI; Procedures to evaluate information systems and application authentication methods; The authentication process for verifying identity of a real person or an automated process or entity.
2) Obtain and review documentation demonstrating the implementation of authentication procedures for persons or entities seeking access to EPHI. Evaluate and determine whether the implemented authentication procedures are sufficient to verify that the persons or entity seeking access to EPHI is the one claimed.
Related Documents:
1) Policies and procedures regarding person or entity authentication.
2) Documentation demonstrating the implementation of authentication procedures for persons or entities seeking access to ePHI.
Additional Guidance:
In general, authentication ensures that a person is in fact who he or she claims to be before being allowed access to EPHI. This is accomplished by providing proof of identity. There are a few basic ways to provide proof of identity for authentication. A covered entity may:
- Require something known only to that individual, such as a password or PIN.
- Require something that individuals possess, such as a smart card, a token, or a key.
- Require something unique to the individual such as a biometric. Examples of biometrics include fingerprints, voice patterns, facial patterns or iris patterns.
Most covered entities use one of the first two methods of authentication. Many small provider offices rely on a password or PIN to authenticate the user. If the authentication credentials entered into an information system match those stored in that system, the user is authenticated. Once properly authenticated, the user is granted the authorized access privileges to perform functions and access EPHI. Although the password is the most common way to obtain authentication to an information system and the easiest to establish, covered entities may want to explore other authentication methods.
Sample questions for covered entities to consider:
- What types of authentication mechanisms are currently used?
- What level or type of authentication is reasonable and appropriate for each information system with EPHI?
- Are other authentication methods available that may be reasonable and appropriate?
Article ID: 483
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-person-or-entity-authentication-164-312-d-483.html