Allow access to ePHI only to those granted access rights. Implementation specifications under Access Control include:
- Unique User Identification (R) § 164.312(A)(2)(i), Assign a unique user identifier to identify and track user activity. (Required)
- Emergency Access Procedure (R) § 164.312(A)(2)(ii). Have procedures for getting to ePHI during an emergency. (Required)
- Automatic Logoff (A) § 164.312(A)(2)(iii) Set up systems to automatically log off a workstation. (Addressable)
- Encryption and Decryption (A) - § 164.312(A)(2)(iv). Use a system to encrypt and decrypt ePHI. (Addressable)
There are several premises dealing with access controls that should make sense to anyone dealing with security.
- First, providing access to only those individuals that need access.
- Second, create tools to control access during emergencies.
- Third, have the ability to track releases and actions to its source.
- Last, implement a passive method to protect information.
HIPAA Security Access Controls is designed with those premises in mind. The way we see it, is not about the Government telling us what to do but guiding us to ensure our organizations, clients and subcontractors are protected.
Sometimes we just need to look at access controls from a different point of view to understand it better. For example, simply consider that less is best and whenever possible follow these recommendations:
- Secure information thru the use of encryption
- Track the information and those using it
- Only allow access only to those that need the information
- Prepare for emergencies.