§164.308(a)(3)(i): Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
Audit Inquiry
Does the entity have policies and procedures in place to ensure all members of its workforce have appropriate access to ePHI?
Does the entity ensure all members of its workforce have appropriate access to ePHI?
Obtain and review the policies and procedures that ensure all members of its workforce only have access to ePHI that is required for each workforce member to do his or her job.
Elements to review may include but are not limited to:
• That different levels of access to information systems are appropriately approved and communicated
• Ensuring that the workforce operates at privilege levels no higher than necessary to accomplish required job duties
Obtain and review documentation demonstrating access granted to workforce members and their job descriptions. Evaluate and determine that access granted to workforce members correlate with their job functions/duties.
Obtain and review documentation demonstrating that management reviews workforce members’ access to information systems that contain ePHI to determine if access is appropriate. Evaluate and determine if workforce members’ access to information systems that contain ePHI is certified and approved by appropriate management.
Required/Addressable
Required