What are the HIPAA Security Rule Access Controls?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

What are HIPAA Security Rule Access Controls?

The HIPAA Security Rule Access Control standard is a technical safeguard that requires covered entities and business associates to implement access controls for electronic information systems to allow access to ePHI only to certain individuals. These individuals are the individuals that have been approved to access ePHI in accordance with the organization’s Information Access Management process.

Covered entities and business associates may consider various access control mechanisms to prevent unauthorized access to ePHI. These access controls could include role-based access, user-based access, or other access control mechanisms the organization deems appropriate, taking into account:

(i) The size, complexity, and capabilities of the covered entity or business associate.

(ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.

Access controls need not be limited to computer systems. Firewalls, network segmentation, and network access control (NAC) solutions can also be effective means of limiting access to electronic information systems containing ePHI, if these are properly implemented.

The Access Control standard includes four implementation specifications for limiting access to

information.  

The first, "Unique User Identification," is a required implementation specification. It requires covered entities and business associates to "Assign a unique name and/or number for identifying and tracking user identity." This implementation specification requires organizations to avoid using shared names and passwords to access its electronic information systems.

Use of shared names and passwords degrades the integrity of a system because it removes accountability from individual users and makes it much easier for the system to become compromised.

If information is improperly entered, altered, or deleted, whether intentionally or not, it can be very difficult to identify the person responsible (e.g., for training or sanctions) or determine which users may have been the victim of a phishing attack that introduced ransomware into the organization. Additionally, because shared usernames and passwords can become widely known, it may be difficult to know whether the person responsible was an authorized user. A former employee or contractor, a current employee not authorized for access, a friend or family member of an employee, or an outside hacker could be a source of unauthorized access

The second implementation specification, Emergency Access Procedure, is also a required

implementation specification. These procedure requires that covered entities and business associates "Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency." Such procedures are applicable in situations in

which normal procedures for obtaining ePHI may not be available or may be severely limited,

such as during power failures or the loss of Internet connectivity. Access controls are still

necessary during an emergency, but may be very different from normal operations. 

How workforce members can securely access ePHI during periods of increased teleworking should be part of an organization’s Emergency Access Procedures. Appropriate procedures should be established beforehand for how to access needed ePHI during an emergency.

The third implementation specification, Automatic Logoff, is an addressable implementation

specification. Automatic logoff procedures terminate an electronic session after a pre-determined time of inactivity. 

The final Access Control implementation specification is Encryption and Decryption, an addressable implementation specification. This implementation specification consists of "Implement[ing] a mechanism to encrypt and decrypt electronic protected health information."

Having a mechanism to encrypt and decrypt ePHI can reduce the risks and costs of unauthorized access to ePHI. For example, if a hacker gains access to unsecured ePHI on a network server or if a device containing unsecured ePHI is stolen, a breach of PHI may be found to have occurred.