HIPAA Role-Based Access is a key concept of the HIPAA Security Rule. Under the Security Rule, healthcare organizations are required to implement access controls. Role-based access controls are a security technique that restrict access to an organization’s network to those individuals for whom access is required.
What is HIPAA Role-Based Access?
Under the technical safeguards provision of the HIPAA Security Rule, covered entities and business associates must implement technical policies and procedures. These policies and procedures must be implemented for electronic protected health information (ePHI). The procedures must be implemented to allow access only to those persons who require access to ePHI to fulfill their job duties. This concept of restriction of access is known as HIPAA role-based access.
Access controls may be implemented by:
- Assigning a unique name and/or number for identifying and tracking user identity.
- Establish and implement procedures for obtaining necessary ePHI during an emergency.
The above two access control methods are required. The following two access control methods are addressable, meaning that covered entities and business associates must implement them when it is reasonable and appropriate to do so:
- Implementing electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Implementing a mechanism to encrypt and decrypt ePHI.
- Encryption takes ePHI and converts it into unreadable text using software or algorithms. This unreadable text can only be deciphered through an decryption key that makes the text readable. Encryption protects data in the event of a breach or theft, and can leave the data useless to anyone who obtains or steals it.
Covered entities and business associates must implement role-based access controls to prevent unauthorized access to PHI.
Under role-based access, organizations must determine the circumstances under which ePHI must be accessed. There are a number of circumstances requiring an organization to access ePHI. Access to ePHI may be required to fulfill a right of access request; to allow providers to share treatment information with each other; and to enable business associates to perform functions on behalf of covered entities.
Under role-based access, organizations must, keeping those circumstances in mind, identify what individual or individuals have job roles that require their accessing or transmitting their ePHI to perform their job roles. An organization’s users who do not require access to PHI to perform their job duties, are regarded as “unauthorized” users, and as such, these users may not use or disclose ePHI.