§164.308(a)(3)(ii)(A): Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

Audit Inquiry

Does the entity have policies and procedures in place regarding the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed?

Does the entity authorize and/or supervise workforce member who work with ePHI or in locations where it might be accessed?

Obtain and review policies and procedures related to the authorization and/or supervision of workforce members. Evaluate the content in relation to the specified performance criteria and determine that appropriate authorization and/or supervision of workforce members who work with ePHI or in a location where it might be accessed is incorporated in the process.

Obtain and review documentation regarding how requests for information systems that contain ePHI and access to ePHI are processed. Evaluate and determine if appropriate authorization and/or supervision for granting access to information systems that contain ePHI is incorporated in the process and is in accordance with related policies and procedures.

Elements to review may include but are not limited to:
• Identification of who has the authorization and/or supervisory permission to approve access to information systems and/or locations where ePHI may be accessed
• How access requests to information systems are submitted
• How access to the information systems is granted
• How requests to access ePHI are submitted
• How access to ePHI is granted
• How authorization and/or supervisory approvals are verified
• How a workforce member’s level of access to ePHI is verified

Obtain and review documentation demonstrating how access requests to locations where ePHI might be accessed are processed. Evaluate and determine if appropriate authorization for granting access to locations where ePHI might be accessed is incorporated in the process and is in accordance with related policies and procedures.

Elements to review may include but are not limited to:
• How access requests to locations are submitted
• How access requests to locations are granted
• How authorization and/or supervisory approvals are verified
• How a workforce member’s level of access to a location is verified

Obtain and review documentation of workforce members who were authorized access to ePHI or locations where ePHI might be accessed and organizational charts/lines of authority. Evaluate and determine if access requests were properly authorized in accordance with the entity’s related policies and procedures and in accordance with established lines of authority.

Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.

Required/Addressable

Addressable