§164.312(a)(1): Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
Audit Inquiry
Has the entity implemented technical policies and procedure for the electronic information systems that maintain ePHI to allow access only to authorized users?
Does the entity only allow access to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4) to electronic information systems that maintain electronic protected health information?
Obtain and review policies and procedures related to access control. Evaluate the content relative to the specified performance criteria to determine if ePHI is only accessible to authorized persons or software programs.
Elements to review may include but are not limited to:
• Identification of the capabilities of electronic information system access controls (i.e., read-only, modify, full access)
• Identification of the type of access controls implemented for the electronic information systems
• Identification of how system and generic IDs/accounts are implemented, managed and controlled by technical access controls
• Workforce members’ roles and responsibilities regarding the capabilities to add, modify, or delete user access
• The frequency of review and verification of user access to electronic information systems that maintain ePHI
• The frequency of review and verification of software program access to electronic information systems that maintain ePHI
• How is removed upon termination or modified upon change of position
Obtain and review documentation demonstrating the implementation of access controls for electronic information systems that maintain ePHI. Evaluate and determine if the electronic information systems have the capacity to enable access controls; if access controls can be enabled, are the enabled access controls configured in accordance with the access control policies and procedures; and how are the electronic information systems’ technical access capabilities defined (i.e., read-only, modify, full-access).
Obtain and review documentation demonstrating a list of new workforce members from the electronic information system who was granted access to ePHI. Obtain and review documentation demonstrating the access levels granted to new workforce members. Evaluate and determine whether workforce members’ access was approved; review the new workforce members’ technical access granted and compare it to approved user access to determine that technical access is approved and granted in accordance with the access authorization requirements.
Obtain and review documentation of a list of users with privileged access. Evaluate and determine whether the privileged access is appropriate based on the access control policies.
Obtain and review a list of default, generic/shared, and service accounts from the electronic information systems with access to ePHI. Obtain and review documentation demonstrating the access levels granted to default, generic/shared, and service accounts. Evaluate and determine if the default, generic/shared, and service accounts are in use and that access has been approved and granted in accordance with the access authorization requirements.
Obtain and review documentation demonstrating that periodic reviews of procedures related to access controls have been conducted. Evaluate and determine whether reviews have been performed of user access levels and evaluate the content in relation to the specified performance criteria.
Obtain and review documentation demonstrating a list of terminations and job transfers. Obtain documentation demonstrating the removal or modification of user access levels. Evaluate and determine whether user access level removal or modification was approved and performed in accordance with the related policies and procedures.
Required/Addressable
Required