§164.308(a)(4)(ii)(C): Implement policies and procedures that, based upon the covered entity’s or the business associate’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
Audit Inquiry
Does the entity have policies and procedures in place to authorize access and document, review, and modify a user’s right of access to a workstation, transaction, program, or process?
Does the entity authorize access and document, review, and modify a user’s right of access to a workstation, transaction, program, or process?
Obtain and review the policies and procedures. Evaluate their content relative to the specified performance criteria for authorizing access, and for documenting, reviewing, and modifying a user’s right of access to a workstation, transaction, program, or process.
Obtain and review documentation regarding individuals whose access to information systems has been reviewed based on access authorization policies. Evaluate and determine whether individuals’ access has been reviewed and recertified in a timely manner by the appropriate personnel.
Obtain and review documentation demonstrating individuals whose access to information systems has been modified based on access authorization policies. Evaluate and determine whether modification of access to information systems is acceptable and modification of individuals’ access to information systems was completed and approved by appropriate personnel.
Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.
Required/Addressable
Addressable