- SCENARIO #1. Disgrunted employee decides to get even with the company. Employee has access to case records and opts to delete all of them. Organization is unable to pinpoint nor prove who did it as everyone in the company has the same login and password.
HIPAA Solution: UNIQUE USER IDENTIFICATION (R) – § 164.312(a)(2)(i) - SCENARIO #2. Individual goes on a cruise but had to be hospitalized halfway thru the trip for unknow reasons. Patient spent a month in the hospital as they could not figure out the problem.
HIPAA Solution: EMERGENCY ACCESS PROCEDURE (R) – § 164.312(a)(2)(ii) - SCENARIO #3. Indiviudal is checking out from the doctors office. On her way to the checkout clerk she sees a workstation with no one at the desk but the screen is on. She recognizes the name of the patient and their condition. On her drive home she tells others the information she found out. You fill in the blanks……
HIPAA Solution: AUTOMATIC LOGOFF (A) – § 164.312(a)(2)(iii) - SCENARIO #4. Individual is completing application for a loan on his device. While travelling the individual loses his device. As a result, his identity was stolen and his accounts emptied.
HIPAA Solution: ENCRYTION AND DECRYPTION (A) – § 164.312(a)(2)(iv)
While there are a many other scenarios we could present the key of the matter is that HIPAA Security, Access Control Standard covers the proper actions to protect you, your business and your Employer as the case may be.
What is Access Control?
Access (§ 164.304) is defined under the Security Rule as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.”1
Access control in a nutshell:
Authorized User* + Minimum necessary** + Rights + Restrictions = Access Control
*Covered Entity or Business Associate personnel.
**Minimum necessary information or electronic Protected Health Information (ePHI) needed to access to perform job functions.
What does the Access Control require?
It requires all Covered Entities and Business Associates to “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)[Information Access Management].”1
Click here to read more on HIPAA Security - Technical Safeguards requirement on each Covered Entity and Business Associates related to Access Controls.
Access Controls
§ 164.312(a)(1)
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
The basic concept of access controls is to enable authorized users to access the minimum necessary information needed to perform their job responsibilities.
As part of this Standard all Covered Entities and Business Associates must meet four basic implementation specifications:
- Unique User Identification (Required)
- Emergency Access Procedure (Required)
- Automatic Logoff (Addressable)
- Encryption and Decryption (Addressable)
Access control is a security term used to refer to a set of policies for restricting access to information, tools, and physical locations. Typically access controls falls under the domain of physically access control or information access control.
Simply speaking, access control restricts access to data as well as software used to manipulate that data. Access control is very commonly used in computer and network security. Some examples include:
- A user signing into their laptop using a password
- A user unlocking their smartphone with a thumbprint scan
- A user logging into their email account
- A remote employee accessing their employer’s internal network using a Virtual Private Network (VPN)
In all of these cases, software is used to authenticate and grant authorization to users wishing to access digital information. Both authentication and authorization are integral components of access control.
Keep in mind that authentication is the security practice of confirming that someone is who they claim to be, while authorization is concerned with the level of access each user is granted.
Every User and System should rely on both, authentication and authorization, as part of your Access Control Measures.
Access Control specification at a glance.
| Specification | Category | Mandate Details1 |
| 1. Unique User Identification [§ 164.312(a)(2)(i)] |
Required specification | Assign a unique name and/or number for identifying and tracking user identity. |
| 2. Emergency Access Procedure [§ 164.312(a)(2)(ii)] |
Required specification | Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. |
| 3. Automatic Logoff [§ 164.312(a)(2)(iii)] |
Addressable specification | Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
| 4. Encryption and Decryption [§ 164.312(a)(2)(iv)] |
Addressable specification | Implement a mechanism to encrypt and decrypt electronic protected health information. |