HIPAA Information Access Management

What is Information Access Management?

The fourth standard in the Administrative Safeguards section is Information Access Management. Covered Entities (CEs) and their Business Associates (BAs) are required to:

“Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part [the Privacy Rule].”

Restricting access to only those individuals and entities with the need for access is a basic tenet of security. By implementing this standard, the risk of inappropriate disclosure, alteration, or destruction of electronic protected health information (ePHI) is minimized. CEs and their BAs must determine those persons and/or entities that need access to ePHI within their environment to accomplish their tasks, nothing more.

Compliance with this standard should support the CEs compliance with the HIPAA Privacy Rule minimum necessary requirements, which requires CEs, and where required BAs, to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to, and disclosure of PHI. To better understand this standard, CEs should review the minimum necessary standard of the HIPAA Privacy Rule. See 45 CFR 164.502(b) and 164.514(d).

The Information Access Management standard has three implementation specifications:
Note: (R) = Required      (A) = Addressable

  1. Isolating Healthcare Clearinghouse Functions (R)§ 164.308(a)(4)(ii)(A)
  2. Access Authorization (A) – § 164.308(a)(4)(ii)(B)
  3. Access Establishment and Modification (A) – § 164.308(a)(4)(ii)(C)

Isolating Healthcare Clearinghouse Function

The Isolating Healthcare Clearinghouse Functions implementation specification states:

“If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.”

This implementation specification only applies in the situation where a healthcare clearinghouse is part of a larger organization. In these situations, the healthcare clearinghouse is responsible for protecting the ePHI that it is processing.

Access Authorization

In the Workforce Security standard portion of this paper, authorization is defined as the act of determining whether a particular user (or computer system) has the right, based on job function or responsibilities, to carry out a certain activity, such as reading a file or running a program. Where this implementation standard is a reasonable and appropriate safeguard for a CE and their BA, the CE and their BA must:

“Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.”

Once the CE and their BA determines that the person or system is authorized, there are numerous ways to grant access to ePHI. In general, a CE’s and their BA’s policies and procedures must identify who has authority to grant access privileges. It must also state the process for granting access.

Once the CE and their BA defines who has access to what ePHI and under what circumstances, it must consider how access is established and modified.

Access Establishment And Modification

Where the Access Establishment and Modification implementation specification is a reasonable and appropriate safeguard for a CE and their BA, the CE and their BA must:

“Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.”

This means that a CE and their BAs must implement and manage the creation and modification of access privileges to workstations, transactions, programs and/or processes.

Responsibility for this function may be assigned to a specific individual or individuals, which also may be responsible for terminating access privileges for workforce members.

CEs and their BAs must evaluate existing procedures (update them as needed), and document procedures as necessary.

Here are some sample questions for CEs and their BAs to consider:

  1. Are policies and procedures in place for establishing access and modifying access?
  2. Are system access policies and procedures documented and updated as necessary?
  3. Do members of management or other workforce members periodically review the list of persons with access to ePHI to ensure they are valid and consistent with those authorized?

Note: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and their technologies change.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?

Information Access Management



For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.