HIPAA TIP: Identity Access Management

Identity and access management (IAM) is the broad security discipline (consisting of policies, procedures, and technologies) that enables individuals to access only the right resources and for only the right reasons. HIPAA is specifically concerned about the privacy and security of electronic protected health information (ePHI), but the principles of IAM can and should be applied to any type of system or data set at any kind of business. Those principles are, broadly:

• -Authentication (45 CFR § 164.312(d)): make sure a person is who they say they are before giving them access to anything, and that they can be uniquely identified (in other words: don’t share login accounts)
• -Access Control (45 CFR § 164.312(a)): only allow a person to access the minimum amount of information they need to do their job; on a regular basis, validate that their level of access is still appropriate for their current role
• -Audit (45 CFR § 164.312(b)): also known as Accountability; on a regular basis, make sure nothing was changed or accessed that should not have been

Security is an ongoing process, not an end state – each of these principles must be continuously applied against your ePHI and other assets to remain effective.