DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The Information Access Management standard is a HIPAA Security Rule standards that governs access to ePHI. The information access management standard is an administrative safeguard. The Information Access Management standard requires HIPAA covered entities and business associates to “implement policies and procedures for authorizing access to [ePHI] that consistent with the applicable requirements of [the HIPAA Privacy Rule].”
This standard has three implementation specifications, two of which apply to to covered entities and business associates (Access Authorization, and Access Establishment and Modification). The other implementation specification, “Isolating Health Care Clearinghouse Functions,” is specific to health care clearinghouses.
The ”Access Authorization” implementation specification focuses on the policies for granting access to ePHI. The specification requires covered entities and business associates to “Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.” These procedures may cover how access to each information system containing ePHI is requested, authorized, and granted, who is responsible for authorizing access requests, and the criteria for granting access.
Access authorization policies typically govern the parameters for which individuals in particular workforce roles may be granted access to particular systems, applications, and data. Those parameters would reflect what information access is necessary for a workforce member to do their job. For example, a billing clerk role may not need access to medical images on a Pictures Archiving and Communication System (PACS) server in order to carry out their billing responsibilities.
The ”Access Establishment and Modification” specification requires covered entities and business associates to “Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.” Access establishment and modification policies should describe HOW to establish, document, review, and modify a user’s access to workstations, transactions, programs, or processes. For example, a workforce member being promoted or given some change in responsibility may require that the workforce member be given increased access to certain systems and decreased access to others. In addition, a HIPAA-covered organization could change its system access requirements to permit remote access to systems containing ePHI during a pandemic. Policies and procedures should cover situations such as these to ensure that each workforce member’s access continues to be appropriate for their role.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article