This article describes the HIPAA information access management requirements for accessing electronic protected health information. The relevant subsection of the HIPAA law is §164.308(a)(4).
Section §164.308 of the Health Insurance Portability and Accountability Act describes the administrative safeguards that a covered entity must employ. This article will explore section §164.308(a)(4), which deals with ensuring that appropriate authorization mechanisms are in place when electronic protected health information (ePHI) is accessed.
HIPAA Information Access Management
“Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.” [§164.308(a)(4)]
A covered entity is responsible for isolating and guarding ePHI from unauthorized access. This section outlines the implementation requirements of a covered entity pertaining to protecting health information while still allowing access by those who need it for business purposes.
Isolating Health Care Clearinghouse Functions
This requirement is only applicable for health care clearinghouses which are part of a larger organization. In this case, the clearinghouse is responsible for implementing policies to protect ePHI from unauthorized access by the larger organization. An auditor will verify this by obtaining and examining formal policies to ensure that access controls exist and are sufficient, as well as verifying that these policies are approved and updated periodically.
This implementation specification is required for health care clearinghouses.
Covered entities must implement formal policies and procedures for authorizing users before granting access to ePHI. Just authenticating workforce members to a system is not sufficient. Workforce members must also be granted access privileges through a documented process that strongly establishes the identity of the user and the need to access the ePHI. To verify this rule is implemented, an auditor will inspect these policies to ensure that they are sufficient for determining the need for access before granting it. The auditor will also determine if the policies are approved and updated on a periodic basis. Additionally, the auditor will verify that the entity’s IT department has the capability to enforce the access controls laid out in the policy through technical means wherever possible.
This implementation specification is addressable. If it is not applicable or reasonable for the entity to implement, there must be formal documentation explaining why, and what (if any) related controls are implemented instead.
Access Establishment and Modification
The covered entity must implement policies and procedures to establish, document, review, and modify user access rights to ensure that the appropriate level of access is granted at all times. This HIPAA information access management rule covers access to workstations, programs and other processes that may display, contain or process ePHI. To verify this rule is implemented, an auditor will inquire of management whether such policies exist, obtain and review formal documentation of these policies, and determine whether or not the policies are sufficient and periodically reviewed and updated.
This implementation specification is also addressable. (See above for explanation of addressable.)
Changes in the 2013 HIPAA Update
No changes to the HIPAA security awareness and training requirements were included in the 2013 HIPAA Omnibus Rule. However, as described in this article, business associates of covered entities are also liable for complying with the Security Rule. Therefore, these requirements also apply to business associates.
HIPAA information access management is designed to control access to electronic protected health information (ePHI) and is a crucial part of HIPAA compliance. By restricting access to PHI, the likelihood of a breach is reduced. Creating and maintaining formal policies and procedures to implement and routinely review HIPAA information access management rules and procedures will greatly increase the chances of passing a HIPAA audit, as well as diminishing the risk of a data breach.
This article has been cross-posted from the Gemini Security Solutions website.