§164.308(a)(4)(i): Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
Audit Inquiry
Does the entity have policies and procedures in place for authorizing access to ePHI that supports the applicable requirements of the Privacy Rule?
Does the entity authorize access to ePHI that supports the applicable requirements of the Privacy Rule?
Obtain and review the policies and procedures to determine that they reasonably and appropriately restrict access to only those persons and entities with a need for access. Also obtain entity’s policies and procedures related to minimum necessary [45 CFR 164.502(b)] and safeguards [45 CFR 164.514(d)] to determine that the policies and procedures subject to this inquiry support an entity’s compliance with the minimum necessary requirement and safeguards requirement that limit unnecessary or inappropriate access to and disclosure of protected health information.
Evaluate and determine whether the technical implementation of the access controls used by the entity support the minimum necessary policies and procedures and are consistent with the Privacy Rule safeguard policies.
Required/Addressable
Required