By Iseman Cunningham Riester & Hyde LLP
“Access establishment and modification” is the second specification under the “information access management” standard. The first specification, access management (see Tip #20), addresses what levels of access will be provided to members of the workforce. Access establishment and modification concerns how those levels of access are provided.
This specification is technically an “addressable” requirement. Covered entities must implement an access establishment policy unless it is inappropriate or unreasonable and its purpose cannot be met through a reasonable alternative measure. Like access management, it is difficult to imagine the circumstances that would justify avoiding this specification.
The specification, like most of the security standards, provides little detail on the actual requirements of the policy. Covered entities should at least ensure their policy touches on the areas specifically mentioned in the rule: establishment, documentation, modification, and review of an individual’s right of access to a workstation, transaction, program, or process.
The point of access establishment is an opportune time to introduce the covered entity’s “acceptable use policy” (AUP). AUPs are rules for use of the computer system which typically address issues such as personal e-mailing and web browsing, downloading software, storing music on the system, etc. Organizations integrating the AUP into the access establishment process, however, should ensure that the AUP is actually read and understood by the user. If the user’s exposure to the AUP is reduced to a “Next” or “I Agree” button in the setup process, the AUP is likely to be ignored and, consequently, prove ineffective as a tool for managing system use and abuse.
HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.
(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.