The Office of Civil Rights (OCR) of the U.S. Department of Health & Human Services recently issued its Summer 2021 Cybersecurity Newsletter, which focuses on controlling access to electronic PHI (ePHI) and the HIPAA Security Rule standards. Citing to a recent report of security incidents and data breaches in the healthcare sector, OCR noted that 61 percent of analyzed data breaches were perpetrated by external threat actors and 39 percent by insiders. Incidents include hackers infiltrating information systems, workforce members impermissibly accessing patient health information, and ePHI being left on unsecured servers.
The newsletter discusses two HIPAA Security Rule standards that govern access to ePHI: Information Access Management (administrative safeguards) and Access Control (technical safeguards). Each standard includes several implementation specifications for HIPAA-regulated entities that are either required (must be implemented) or addressable (must be assessed and implemented if it is a reasonable and appropriate safeguard in the entity’s environment). If a particular addressable specification is not reasonable and appropriate, entities must document why and implement equivalent alternative measures if feasible.
The Information Access Management standard has three implementation specifications, two with general applicability to covered entities and business associates (the other is specific to health care clearinghouses). The first, Access Authorization, concerns the implementation of policies and procedures governing how covered entities and business associates authorize or grant access to ePHI within their organization. These policies typically govern the parameters for which individuals in specific workforce roles may be granted access to particular systems, applications, and data. Those parameters should reflect what information access is necessary for a workforce member to do their job. The second, Access Establishment and Modification, describes how to establish, document, review, and modify a user’s access to workstations, tran ..
Support the originator by clicking the read the rest link below.
