11.6 STANDARD: INFORMATION ACCESS MANAGEMENT
11.6 STANDARD: INFORMATION ACCESS MANAGEMENT
The Information Access Management Standard has 3 separate Implementation Specifications, with one required and two addressable:
-
Isolating health care clearinghouse functions
-
Information Access Management
-
Access establishment and modification
This Standard consists of implementing policies and procedures for authorizing access to EPHI consistent with the Privacy Standards. It would wise to base these policies and procedures upon previous decisions made under the 'Workforce Security' section.
11.6.1 Isolating Health Care Clearinghouse Functions
The first of the three separate Implementation Specifications in the Information Access Management Standard is Isolating Health Care Clearinghouse Functions, a required specification of the HIPAA Security regulations.
The regulation reads:
'If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the EPHI of the clearinghouse from unauthorized access by the larger organization.'
This does not apply to most hospitals or medical centers. It is meant for insurance clearinghouses, which take insurance claims from providers and format and transmit them to the payors.
11.6.2 Access Authorization
The second of the three Implementation Specifications of the Information Access Management Standard is Access Authorization, which is an addressable specification.
This Standard consists of implementing policies and procedures for granting access to EPHI-i.e. through access to a workstation, transaction, program, process or other method. These policies will establish who will authorize access at each facility and are based upon previous decisions the covered entity made under 'Workforce Security'.
To address this specification the covered entity should establish a policy and procedure whereby the Information Systems (or Information Technology) department grants access to the network and EPHI only with specific authorization from a responsible party, such as a department manager or director.
11.6.3 Access Establishment and Modification
The last of the three implementation specifications for of the Information Access Management Standard is Access Establishment and Modification, which is also an addressable specification.
A policy and procedure should be written and enforced for the establishment of new user accounts to access EPHI, as well as any review and modification to that account, specifically for access through access to a workstation, transaction, program, process or other. This is the 'How to authorize' access and changed to access.
Authorization should have previously been established in the preceding specification. This authorization should be documented and saved and compared to other such authorizations for staff with similar roles and responsibilities.
This is the 'How to authorize' access and changed to access. As a comparison, the Workforce Security Standard policies and procedures are 'How to limit once authorized'.
EAN: N/A
Pages: 181
- ERP Systems Impact on Organizations
- Enterprise Application Integration: New Solutions for a Solved Problem or a Challenging Research Field?
- The Effects of an Enterprise Resource Planning System (ERP) Implementation on Job Characteristics – A Study using the Hackman and Oldham Job Characteristics Model
- Healthcare Information: From Administrative to Practice Databases
- Relevance and Micro-Relevance for the Professional as Determinants of IT-Diffusion and IT-Use in Healthcare