HIPAA requires you to implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process. Does your organization have written procedures to establish access and modify access perform these functions? Do you have any type of HIPAA Access Policy? If not, use the one below.
Please attach your access authorization policy and procedures.
Link to Regulation HIPAA – 45 C.F.R. § 164.308(a)(4)(ii)(B)
HIPAA Access Policy
The IT department, third party IT company or Facility Administrator/Designated Security Contact, manages all access control administration activities and monitors the security of information systems.
Access Approval Process
The employee’s manager or the practitioner in charge initiates the access approval
process. The privileges granted remain in effect until the worker’s job changes or the worker leaves . If either of these events occurs, the manager immediately notifies the IS Manager or Administrator/Designated Security Contact. The existence of certain access privileges does not, in and of itself, mean that an individual is authorized to use these privileges. If Users have any questions about access control privileges, they should contact the IS Manager or Administrator/Designated Security Contact or the Chief Privacy Officer.
All non-employees (contractors, consultants, temporaries, outsourcing firms, etc.) also go through the access approval and authorization process initiated by the project manager. The privileges of non-employees are immediately revoked by the IT Manager or Administrator/Designated Security Contact upon notification of the project’s completion or when the non-employee stops working with
Access to Server Room (if Applicable)
Only those workforce members with an express purpose for entering the Server Room are granted access. Permission for access is determined by the IS Manager or Administrator/Designated Security Contact or Chief Privacy Officer with input from the practitioner in charge.