Blog Home Page Next article:

HIPAA Understood: Authorization and/or Supervision

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.


Once you establish what roles within your organization may access sensitive information you still need to individually allow personnel within these roles to have such access. Not only is this considered best practice but is addressed by the below HIPAA rule.

“164.308(a)(3)(ii)(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.”

This rule is straight-forward and is directly related to the previous week’s rule. The gist of this is you must have a process in place to approve access to ePHI/PHI. This process should be performed prior to access being granted to this type of information; I know this seems obvious, but I have encountered situations where this was not occurring. The approval process should include a senior member of the organization who is either the information owner or system owner for where the access is being granted. The supervision portion can be achieved through auditing, the auditing can be technical audits conducted to determine who is accessing the information, periodic audits to determine those granted access are the only ones who have access or a combination of the two. The audits should be documented to be used as proof during a future audit or assessment. There are other methods you may choose to use and again I would say use what works best for your organization and ensure the key points of having an approval process and/or supervision process is implemented, effective, and documented.