Identity Management

Requirements for identity management are addressed in several areas of the HIPAA Security Rule. In the technical Safeguards section of the HIPAA Security Rule, the two Standards that address this area are: 

• Access Control (§ 164.312(a)(1))
• Person or Entity Authentication (§ 164.312(d))

The Access Control Standard requires that organizations implement technical policies and procedures for electronic information systems that maintain Electronic Protected Health Information (EPHI) to allow access only to those persons or software programs that have been granted access rights. The Person or Entity Authentication Standard requires that organizations implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. Additional requirements for identity management are also defined in other areas of the regulation. For example, under Administrative Safeguards within the Workforce Security Standard we have an addressable implementation specification, called Termination Procedures and Password Management is defined in the Security Awareness and Training Standard.

To address these requirements, organizations need to determine the following:

• Have all applications and systems with EPHI been identified
• What user roles are defined for all such identified applications and systems?
• Are data and/or systems being accessed remotely?
• How are the systems and applications?
• Viewing EPHI?
• Modifying EPHI?
• Creating EPHI?
• Who manages access control procedures?
• What are the procedures for adding, changing, terminating users’ access to systems and applications?
• What authentication mechanisms are defined for regular and privileged users of systems and applications?
• What audit policies exist for reviewing access rights and accounts established in the system?

For a complimentary executive brief PDF on Information Security Strategy, please contact Lorna Waggoner at Lorna.Waggoner@ecfirst.com or call her at 1.515.453.8247 x17.