• E-mail
• Print
• RSS

Do small organizations need written authorization policies?

HIPAA Weekly Advisor, January 26, 2004

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Question: We're a small organization. Do we have to have written policies and procedures describing how we grant access authorization?

Answer: Your question refers to the required HIPAA security standard on information access management--45 CFR Section 164.308 (4)(ii)(B). The addressable implementation specification for access authorization tells you what to implement and gives suggestions on how to do it: "Implement polices and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program process, or other mechanism."

That language, and the fact that the standard is required, suggests that this specification should be met with something in writing, even if minimal. For example, your procedure may simply state that before accessing electronic PHI, each person who needs access must first be authorized by a designated individual or individuals. In your organization, that may be the chief, the clinical head of the group, the business manager, or some other trusted individual with authority. The designated authorizer completes a form used to approve access, and the form is filed.

Editor's note: This question and answer was adapted from HIPAA Security Made Simple, a book published by HCPro, Inc.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive