Unique User Identification
The HIPAA Security Rule requires Covered Entities to implement a “Unique User Identification” standard for systems holding electronic protected health information (EPHI). Unique User Identification is a “required” specification under the Access Control standard and should be employed for all EPHI systems.
As the name implies, unique user identification refers to the use of a unique name or number to identify and track specific individuals using EPHI systems, frequently referred to as “Logon name” or “User ID”. Use of this unique name or number provides a means to verify the identity of the person using the system. An effective unique user identification practice ensures that system activity can be traced to a specific individual. Never share your user ID on any system as you would not like to be held responsible for someone else’s actions.
System Administrators should perform ongoing maintenance of user identification data. User identifications that are not associated with active workforce members (such as those of former employees) present an increased risk for abuse. User identifications provided to consultants and vendors should also be removed or disabled as soon as no longer needed. System Administrators may wish to temporarily disable accounts for workforce members leaving for extended periods with no need to access the system, such as medical/family leave or vacations.
Posted August 18, 2005