HIPAA Security Tip #20: Access Authorization

By Iseman Cunningham Riester & Hyde LLP

Covered entities must implement policies and procedures for granting access to electronic protected health information. This requirement is an addressable specification under the “Information Access Management” standard (see Tip #19). Covered entities must implement this requirement unless it is an inappropriate or unreasonable requirement and cannot be met through an alternative measure.

Access management is a fundamental tenet of information security. In addition, as noted last week, HIPAA security policies must be consistent with HIPAA privacy standards, including the minimum necessary rule. Other than among the smallest covered entities, it is difficult to envision circumstances that would justify passing over this specification.

The access authorization specification requires covered entities to answer the question, “What level of access will be provided to different members of the workforce?” Access can be tied to a number of different things – – the user’s “role” (scheduler/receptionist, transcriptionist, administrator); the physicial point of access (a workstation in a lab); a function (coding, billing, CQI); or a specific person (John, Jane), among others. The final security rule provides a great deal of flexibility to covered entities to in defining appropriate access levels.

Covered entities using role-based access should carefully consider the scope of their defined roles. Efficiency and convenience suggest fewer defined roles, with broader access rights for each role. The minimum necessary rule, in contrast, demands that covered entities define roles as narrowly as possible.



HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.

(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.

HIPAA Security Tips Archive

No posts to display