HIPAA Tip: Identity and Access Management

Identity and access management is a set of security services, processes, policies and tools used to define and manage the roles and permissions of users, devices and application programming interfaces (APIs) to servers, onsite systems and applications, along with any cloud/offsite software systems and applications.

Just as your organization would decide on how a new user would be set up in the EMR – what is their role, what level(s) of permission do they require in order to do their job, how will they access the system or application (business device onsite vs. remote, cell phone with MFA enabled) – for every system and application used in the environment or in the cloud, access control policies must be implemented by the organization and even the vendor supplying the system or application.

Grant access to the business resources in each context and keep up with changes as the organization and computing needs evolve. Documented onboarding of users and systems with specific permissions (least privileged access) as well as offboarding must be a major part of the Identity and Access Management program.

Per HIPAA, Covered Entities and their Business Associates need to also address Audit Control standards (§ 164.312(b)):

“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

Most information systems provide some level of audit controls with a reporting method, such as audit reports. It is extremely important management review user activity to ensure no unauthorized access/activity is occurring, especially to comply with HIPAA and to keep patient data confidential.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.


Dawn Meglino

HIPAA Compliance Specialist, CHPSE, CCSA, CCAP