|
information
access management (HIPAA)
As part of their
administrative
safeguards, covered entities must implement an information
access plan -- that is, "policies and procedures for
authorizing access to electronic
protected health information
[PHI]," consistent with provisions of the Privacy
Rule.
The standard has
three associated implementation
specifications, only the first of which is required:
- isolation of
any health clearinghouse functions,
- access authorization,
and
- access establishment
and modification.
If a health care
clearinghouse is part of a larger organization, it must take
steps to protect its electronic PHI from unauthorized access
by persons from that larger organization. The notion of an
internal "Chinese Wall" is similar to the barriers
that must be erected within hybrid
entities under the Privacy Rule.
Indeed, the health
care component and affiliated entity standards of the
Privacy Rule are now paralleled in the Security Rule. Safeguards
for electronic PHI must be applied to prevent unauthorized
access both by outside persons and organizations and by the
"uncovered" component of the covered entity. This
segregation requirement is imposed not just on health care
clearinghouses, but on any kind of covered entity. (See discussion
at Final Rule pp.147ff) Thus this specification's name is
somewhat misleading in its seeming restrictiveness:
"...[T]hose
components of a hybrid entity that are designated as health
care components must comply with the security standards and
protect against unauthorized access with respect to the other
components of the larger entity in the same way as they must
deal with separate entities." (Final Rule, p.151)
The second specification
embraces the implementation of policies and procedures that
grant access to electronic PHI. The third relates to implemented
policies and procedures "that, based upon the entity's
access authorization policies, establish, document, review,
and modify a user's right of access to a workstation, transaction,
program or process."
The pair share
a close kinship with the policies and procedures that are
part of the workforce
security standard. The semi-redundancy reflects DHHS's
stress on "formal, documented
policies and procedures"
that specify "levels of access for all personnel authorized
to access health information, [including] how access is granted
and modified." (Final Rule, p.93)
The adjective "formal"
does not mean that the policies and procedures must align
with any particular structure or industry standard format.
(So much angst was generated that "formal" was deleted
from draft versions of the regulation itself.) It does mean
that "documentation should be an official organizational
statement as opposed to word-of-mouth or cryptic notes scratched
on a notepad." (Final Rule, p.95)
As with the workforce
security standard, the policies and procedures adopted for
these components must be guided by the Privacy Rule's minimum
necessary standard. The degree of refinement of such policies
-- e.g., how "fine-grained" the setting of access
privileges should be -- will depend on the size of the covered
entity and the technical capabilities of its information systems.
(For this reason, the last two components are addressable
specifications, rather than required ones.)
See also:
|
