By Robert McDermott, President & CEO; iCoreConnect
This is the first article of a five-part series looking at the aspect of HIPAA law known as “Technical Safeguards.” In this brief article, we address “Access Control” [Regulation 164.312(a)(1)].
The Access Control standard ensures that devices are accessed only by known, authorized user(s).
What is a “Technical Safeguard”?
The HIPAA Technical Safeguards are parts of the law designed to secure Protected Health Information (PHI) in its electronic form (also known as “ePHI”).
Do you have to follow the Technical Safeguards?
The HIPAA Technical Safeguards are law. Adhering to the safeguards not only protects your patients’ data, but it protects you from costly fines.
How is Access Control implemented?
There are four implementation specifications for Access Control:
- Unique User Identification (Required): Assign a unique user ID to record user activity and identify those using electronic devices.
- Emergency Access Procedure (Required): Implement procedures allowing for access to ePHI in the event of an emergency.
- Automatic Logoff (*Addressable): Implement electronic procedures that automatically logs authorized staff off from the device they’re using to access or exchange ePHI.
- Encryption (*Addressable): Implement a system that encrypts messages sent beyond your firewall and decrypt messages coming into your system.
All ePHI must meet the standards set by the National Institute of Standards and Technology, regardless of whether the information is in transit or at rest.
*What’s the difference between “required” and “addressable”?
You may see the word “required” or “addressable” associated with different specifications of the law. In an “addressable” specification, the government gives you opportunity to document in writing how you have achieved the specification in an alternate manner or why you are unable to implement the specification.
All ePHI must meet the standards set by the National Institute of Standards and Technology, regardless of whether the information is in transit or at rest.
For more information about access controls, or to see if you’re in compliance with this security standard, visit HHS.gov or call iCoreConnect at (888) 810-7706. iCoreConnect’s HIPAA-compliant email exchange (iCoreExchange) and practice management software (iCoreDental) are endorsed by FDA Crown Savings.
PUB NO.3000.023.060518