|
access
control, devices and systems (HIPAA)
Under HIPAA's Security
Rule, covered entities
must implement a regime of information system access controls
as part of their technical
safeguards, complementary to the facility
access controls that are part of its physical
safeguards.
The access controls
at issue here are defined as "technical policies and
procedures for electronic information systems access that
maintain electronic
protected health information
[PHI] to allow access only to those persons or software
programs that have been granted access rights," as specified
in the information
access management standard of its administrative
safeguards.
The access control
standard has four implementation
specifications. The first two are required and the last
two addressable:
- unique user
identification;
- emergency access
procedure;
- encryption and
decryption.
The first requires
"assign[ment of] a unique name and/or number for identifying
and tracking user identity." The Rule permits "any
appropriate access control" mechanism in conjunction
with unique user identification. (Final Rule, p.129)
The second requires
establishing -- and implementing, as necessary -- procedures
for "obtaining necessary [PHI] during an emergency."
The Final Rule commentary notes that "[a]ccess controls
will still be necessary under emergency conditions, but they
may be very different from those used under normal operational
circumstances." (Final Rule, p.131)
The third covers
procedures that "terminate an electronic session after
a predetermined time of inactivity." The specification
is, as noted, addressable, to indicate that equivalent measures
achieving inactivity lockout are permissable. (Final Rule,
p.129-130)
The last embraces
implementation of "mechanism[s] to encrypt and decrypt
electronic [PHI]."
See also:
|
