HIPAA Understood: Information Access Management

Updated February 4th, 2019

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.

---

If you have accepted “the golden rule” of HIPAA, then you will most likely already have achieved compliance with this rule under previous rules. The rule:

“164.308(a)(4)(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part”

Get it yet? You need to document your information access management processes in policies and procedures. I have talked about this throughout this series thus far and I will continue to do so as this is a very important part of compliance with the HIPAA final security rule. Now you don’t want to just slap something into word and call it a policy. Make sure you document accurate and up to date information regarding how ePHI is accessed within your organization, ensure you include who is authorized access, when and how they are authorized access and how employees are authorized and cleared for access. This is yet another simple rule to comply with yet a lengthy task as this documentation needs to be kept up to date.  Consider using NIST-CSF to create a compliance matrix to make sure every control uses the same language and policies/procedures are not duplicated.