DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses the HIPAA Security Rule's "access controls" provision and its specific components and requirements.
What are HIPAA Security Rule Access Controls?
The HIPAA Security Rule Access Control standard is a technical safeguard that requires covered entities and business associates to implement access controls for electronic information systems to allow access to ePHI only to certain individuals. These individuals are the individuals that have been approved to access ePHI in accordance with the organization’s Information Access Management process.
Covered entities and business associates may consider various access control mechanisms to prevent unauthorized access to ePHI. These access controls could include role-based access, user-based access, or other access control mechanisms the organization deems appropriate, taking into account:
(i) The size, complexity, and capabilities of the covered entity or business associate.
(ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
Access controls need not be limited to computer systems. Firewalls, network segmentation, and network access control (NAC) solutions can also be effective means of limiting access to electronic information systems containing ePHI, if these are properly implemented.
The Access Control standard includes four implementation specifications for limiting access to information. These are discussed below:
Unique User Identification
The first, "Unique User Identification," is a required implementation specification. It requires covered entities and business associates to "Assign a unique name and/or number for identifying and tracking user identity." This implementation specification requires organizations to avoid using shared names and passwords to access its electronic information systems.
Use of shared names and passwords degrades the integrity of a system because it removes accountability from individual users and makes it much easier for the system to become compromised.
If information is improperly entered, altered, or deleted, whether intentionally or not, it can be very difficult to identify the person responsible (e.g., for training or sanctions) or determine which users may have been the victim of a phishing attack that introduced ransomware into the organization. Additionally, because shared usernames and passwords can become widely known, it may be difficult to know whether the person responsible was an authorized user. A former employee or contractor, a current employee not authorized for access, a friend or family member of an employee, or an outside hacker could be a source of unauthorized access. Observing the unique user identification specification prevents such unauthorized access from taking place.
Emergency Access Procedure
The second implementation specification, Emergency Access Procedure, is also a required implementation specification. These procedure requires that covered entities and business associates "Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency." Such procedures, which should be established beforehand (before an emergency takes place), are applicable in situations in which normal procedures for obtaining ePHI may not be available or may be severely limited, such as during power failures or the loss of Internet connectivity. Access controls are still necessary during an emergency, but may be very different from normal operations. Emergency access procedures should be developed for both in-office operations, and, for employees who telework. Employees who telework must knowhow they can securely access ePHI when an emergency occurs.
Automatic Logoff
The third implementation specification, Automatic Logoff, is an addressable implementation specification (addressable implementation specifications must be implemented if it is reasonable and appropriate to do so).
Automatic logoff procedures can safeguard PHI from unauthorized access. Users sometimes inadvertently leave workstations unattended for various reasons. In an emergency setting, a user may not have time to manually log out of a system. Implementing a automated logoff mechanism to automatically terminate an electronic session after a period of inactivity (NIST 800-63B recommends 15 minutes) reduces the risk of unauthorized access when a user forgets or is unable to terminate their session.
Encryption and Decryption
The final Access Control implementation specification is Encryption and Decryption, an addressable implementation specification. This implementation specification requires of "Implement[ing] a mechanism to encrypt and decrypt electronic protected health information."
Having a mechanism to encrypt and decrypt ePHI can reduce the risks and costs of unauthorized access to ePHI. For example, if a hacker gains access to unsecured ePHI on a network server or if a device containing unsecured ePHI is stolen, a breach of PHI may be found to have occurred. This breach might not have happened had a mechanism to encrypt and decrypt ePHI been in place.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article