ePHI Security

Although the HHS has long stressed the importance of ePHI security, with the influx of healthcare breaches, it is clear that many organizations have not heeded the warning. With an increase in breaches across all industries, cybersecurity has become the focus of many government agencies including the HHS. Earlier this month the HHS published its “Summer 2021 Cybersecurity Newsletter” further emphasizing the importance of information access management and access controls.

ePHI Security and Information Access Management

The HHS requires organizations to, “implement policies and procedures for authorizing access to [ePHI] that are consistent with the applicable requirements of [the HIPAA Privacy Rule].”

The Information Access Management standard requires the implementation of two specifications that apply to healthcare providers:

Access Authorization: focuses on the policies for granting access to ePHI. The HHS states in their newsletter, “this may include how access to each information system containing ePHI is requested, authorized, and granted, who is responsible for authorizing access requests, and the criteria for granting access. These policies typically govern the parameters for which individuals in particular workforce roles may be granted access to particular systems, applications, and data. Those parameters would reflect what information access is necessary for a workforce member to do their job.”

Access Establishment and Modification: focuses on the procedural aspects about how access is established, documented, reviewed, and modified. The HHS provides examples of situations that should be covered in these policies and procedures, such as increasing ePHI access levels for workers who are promoted, decreasing access levels for other workers, and emergency access procedures.

Let’s Simplify Compliance

Protect your ePHI by becoming HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

Establishing Access Controls

Establishing access controls is a requirement under the HIPAA Security Rule, the cybersecurity newsletter states, “The flexible, scalable, and technology-neutral nature of the Security Rule permits organizations to consider various access control mechanisms to prevent unauthorized access to ePHI. Such access controls could include role-based access, user-based access, attribute-based access, or any other access control mechanisms the organization deems appropriate. Further, acce