Health Information Management

Manage EHR access and audit controls

HIM-HIPAA Insider, May 8, 2012

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

HIPAA requires covered entities (CEs) to implement technical policies and procedures for electronic information systems that limit access to electronic protected health information (ePHI) only to those persons or software programs that have been granted access rights [§164.312(a)] as specified in the administrative safeguards under access authorization, establishment, and modification [§164.308(a)(4)].

Implementation specifications include the requirement for unique user identification and an emergency access procedure. The specifications also address automatic logoff and encryption/decryption of data retained in systems.

Access controls should be consistent with the requirements for minimum necessary use [§164.512(d)(2)(i)]. CEs should identify the persons or classes of persons, as appropriate, in the workforce who need access to PHI to carry out their duties. For each such person or class of persons, CEs must identify the category or categories of PHI to which access is needed and any conditions appropriate to such access are identified.

This article was adapted from the April edition of Medical Records Briefings. Purchase the entire article.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular