Person or Entity Authentication

§164.312(d): Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Audit Inquiry

Does the entity have policies and procedures in place to verify that a person or entity seeking access to ePHI is the one claimed?
Does the entity verify that a person or entity seeking access to ePHI is the one claimed?

Obtain and review policies and procedures regarding person or entity authentication. Evaluate if systems and applications requiring authentication have been identified and whether authentication procedures have been implemented for the systems and applications that require authentication.
Elements to review may include but are not limited to:
• The authentication procedures for all systems and applications that access ePHI.
• Procedures to evaluate information systems and application authentication methods.
• The authentication process for verifying identity of a real person or an automated process or entity.

Obtain and review documentation demonstrating the implementation of authentication procedures for persons or entities seeking access to ePHI. Evaluate and determine whether the implemented authentication procedures are sufficient to verify that the persons or entity seeking access to ePHI is the one claimed.

Required/Addressable

Required