Question of the Week: How does role-based access work?
HIPAA Weekly Advisor, September 3, 2001
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: The HIPAA security requirements address role-based access. How does role-based access work?
A: Access generally can be restricted based on three different ways:
1. Context-based access: based on the type of transaction
2. Role-based access: based on job or function (i.e., need to know)
3. User-based access: based on an individual's identity
Since a big concern identified in the 2001 Health Information Management Systems Society survey was internal threats to IT security, I would recommend access be restricted based on roles. Roles can be refined down to the document, database, or application level.
A physician may need to append information to a medical record, while a medical records clerk should be allowed to access the records but not add or change information. This approach is very useful if you want to allow all employees to access an application but restrict what information can be viewed or modified.
With role-based access, you need to authenticate the user, not just the machine that they are logging on from. This can be accomplished via tokens, smartcards, or biometrics. This segmented approach is more specific than defining access based on "groups" (e.g., all accounting).
The Computer-based Patient Record Institute has an excellent document which gives many examples of role-based access schemes. Exactly, how granular the role-based access needs to be depends on your organization. Keeping up with changes in titles, functions, and departmental changes to "roles" can be a daunting task.
Go to http://www.cpri-host.org/toolkit/toc.html for more information on the CPRI Toolkit.
Editor's note: Answered by Jon Bogen, president of HealthCIO Inc. in Duxbury, MA. If you have a question, write to BOH, P.O. Box 1168, Marblehead, MA 01945, or send an e-mail to BOH editor Brian Driscoll at bdriscoll@hcpro.com.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- HIPAA Q&A: Flu shot requirement for hospital employees
- Running an effective peer review committee meeting
- HealthDataInsights posts new issues for medical necessity claims
- Sneak Peek: Effort underway to establish caseload benchmarks
- Q/A: Coding for telescopic intraocular lens
- New FAQ posted on storing laryngoscope blades
- Tip: Perform your own internal investigation prior to government audit
- HIPAA 5010 deadline extended, but threat remains, says AMA
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- E-mailed
-
- Running an effective peer review committee meeting
- HIPAA Q&A: Flu shot requirement for hospital employees
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- Q/A: Coding for telescopic intraocular lens
- Q/A: Correct use of modifier -PT
- Tip: Correctly code bilateral pain management procedures
- "Wall fountains" may be spreading Legionnaires to patients, visitors
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- COT basics to best
- Searched