HIPAA Security Tip #21: Access Establishment And Modification

By Iseman Cunningham Riester & Hyde LLP

“Access establishment and modification” is the second specification under the “information access management” standard. The first specification, access management (see Tip #20), addresses what levels of access will be provided to members of the workforce. Access establishment and modification concerns how those levels of access are provided.

This specification is technically an “addressable” requirement. Covered entities must implement an access establishment policy unless it is inappropriate or unreasonable and its purpose cannot be met through a reasonable alternative measure. Like access management, it is difficult to imagine the circumstances that would justify avoiding this specification.

The specification, like most of the security standards, provides little detail on the actual requirements of the policy. Covered entities should at least ensure their policy touches on the areas specifically mentioned in the rule: establishment, documentation, modification, and review of an individual’s right of access to a workstation, transaction, program, or process.

The point of access establishment is an opportune time to introduce the covered entity’s “acceptable use policy” (AUP). AUPs are rules for use of the computer system which typically address issues such as personal e-mailing and web browsing, downloading software, storing music on the system, etc. Organizations integrating the AUP into the access establishment process, however, should ensure that the AUP is actually read and understood by the user. If the user’s exposure to the AUP is reduced to a “Next” or “I Agree” button in the setup process, the AUP is likely to be ignored and, consequently, prove ineffective as a tool for managing system use and abuse.



HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.

(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.

HIPAA Security Tips Archive

Queens Battery Fire

Fire in Off-the-Books e-Bike Battery Repair Shop in Queens (NY) Injures Firefighter, 3 Residents

An off-the-books e-bike battery repair shop in the basement of a Queens home sparked a massive Friday morning blaze that left a firefighter and three building residents hospitalized, FDNY officials said.
Baldwinsville (NY) Apartment Fire

Large Fire Rips Through Baldwinsville (NY) Apartment Buildings, Roof Collapses

Firefighters are battling a large fire Friday night in a Baldwinsville apartment complex that’s caused the roof to collapse on at least one building.