HIPAA TIP: Information Access Management

Without appropriate authorization policies and procedures and access controls, hackers, workforce members, or anyone with an Internet connection may have impermissible access to the health data that your organization has and is responsible for securing under the HIPAA Rule.

Plain and simple, operating systems and applications containing electronic Protected Health Information (ePHI) must have controls in place to limit access to this data. All users need to have role-based access for the “minimum necessary” in order to perform their specific duties within the organization. Would a staff member who checks in patients need the same privileges as the physician’s assistant or nurse? And does it make any sense to have multiple users sharing an account that contains ePHI when their role descriptions define differing levels of access to ePHI?

The Information Access Management standard requires HIPAA Covered Entities and Business Associates to “implement policies and procedures for authorizing access to ePHI that are consistent with the applicable requirements of the HIPAA Privacy Rule.” Put these in place for systems containing ePHI, including the Windows Operating System, and review active users and their roles and privileges regularly.

HIPAA compliance isn’t a one-time checklist. It’s ongoing, programmatic in nature, and requires demonstrated reasonable diligence to stay in good standing with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Anatomy IT can provide you peace of mind with our expert HIPAA compliance services. To learn more, contact us here.