Access Control - Policies and Procedures for e-PHI, v1.0

Specifies that a health care related organization must implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Section 164.308(a)(4).

Assessment Step

1
Allow Granted Access (AllowGrantedAccess)
Does the covered entity or business associate implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Section 164.308(a)(4)?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A covered entity or business associate must perform these requirements in accordance with Section 164.306 (Security standards: General rules).

Conformance Criteria (1)

Allow Granted Access
The covered entity or business associate must implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Section 164.308(a)(4).
Citations
HIPAA-Security-Rule
45 CFR Section 164.312(a)(1)
HIPAA-Security-Rule
45 CFR Section 164.306