HIPAA Security Implementation, Version 1.0

4.8 ACCESS CONTROLS

4.8.1 Summary

Access control is a means of limiting what people can see and what they can modify. In other words limit the number of people who can see the data to those who have a need to see it in order to do their jobs and ensure that the modification of data is limited to only those who are authorized to make modifications.

As discussed in its comment and response section, the final Privacy Rule states that role based access control is required.

Under the final security rule CEs are required to 'implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software who have been authorized to do so'

Specialized security technology and controls will usually be necessary to enforce these policies and procedures.

4.8.2 Detailed Requirements

The Privacy Rule requires that Role Based Access Controls (RBAC) be implemented. This means that CEs must create policies and procedures to identify (a) the types of roles i.e. doctor, nurse, billing clerk etc. which need access to PHI and (b) then identify what specific PHI that each of these roles require access to. Associated with this requirement is the need to audit for compliance and logging and review of access to PHI data.

The security rule goes into Access Control in much greater depth and specificity. Access Control is covered under Technical Controls, Authentication, Encryption, Physical Access controls etc.

4.8.3 Under 'Technical Controls' Access Controls focus on:

• Unique User Identification-A unique name or number must be assigned for the purposes of identifying and tracking users

• Emergency Access Procedure-An emergency access procedure must be established for accessing PHI during an emergency

• Automatic logoff -The CE is required to implement electronic procedures that will terminate an electronic session after a predetermined time of inactivity

• Encryption and Decryption-The CE is required to implement a mechanism to encrypt and decrypt EPHI. Best practices would dictate that this encryption take place during transmission and storage of EPHI.

• Authentication-An integral part of access control is authentication i.e. ensure that the person or entity who is attempting to access the PHI is in fact the person or entity that they claim to be.

• Under 'Person or Entity Authentication' section of the security rule the CE is must 'implement procedures to verify that a person OR and entity seeking to gain access to EPHI is the one claimed'.

• Transmission Security (Access Control)-The CE is required to 'Implement Technical Security measures to guard against unauthorized access to EPHI that is being communicated over an electronic communications network'.

• Integrity Controls-CEs are must implement controls to ensure that EPHI is not 'improperly modified' without detection until disposed of.

• This provision would apply to the full life cycle of the EPHI and the use of this information during it's life cycle i.e. from creation to disposal as well as transmission and storage of EPHI.

• Encryption Controls-Encryption, is a mechanism that is used to ensure that unauthorized parties do not gain access to sensitive or confidential information. Once again this provision will apply to the full life cycle of the EPHI and the use of this information during it's life cycle i.e. from creation to disposal as well as transmission and storage of EPHI.

• Workstation security-CEs must 'implement physical safeguards for all workstations that access EPHI, to restrict access to authorized users only'.

4.8.4 Under Facility Access Control a CE must:

• 'Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.'