HIPAAdvisor: Q & A with Steve Fox

Access Controls: Who Sees What Info?

QUESTION: What obligations does HIPAA's proposed Security rule impose upon covered entities concerning access controls like user IDs? Doesn't HIPAA allow somewhat broad latitude on the specific implementation of this rule?

ANSWER: The proposed Security rule is intended to allow covered entities some latitude in determining how best to comply with the security requirements.

In contrast to the Transactions Standards, which are only applicable to the electronic transmission of health information in connection with certain specified transactions, the proposed Security rule applies to any health information relating to an individual that is electronically maintained or transmitted by health plans, health care clearinghouses, and health care providers. The proposed rule does not distinguish between internal communication and communication that is external to the covered corporate entity.

The proposed Security rule consists of the requirements that a covered entity must address in order to safeguard the integrity, confidentiality, and availability of its electronic data. It also describes the implementation features that must be present in order to satisfy each requirement.

However, one of the principles that guided the formulation of the proposed Security rule was recognition that appropriate security practices are highly dependent upon individual circumstance. Instead of mandating or prescribing specific practices, the rule defines a general set of requirements and implementation features for them. These can be adopted in any one of several ways.

For example, one security requirement is that covered entities have a contingency plan in effect for responding to system emergencies. The plan must include certain features, including a disaster recovery plan. However, the proposed rule does not set forth any required elements for such a disaster recovery plan. Covered entities are left to determine exactly how to formulate a disaster recovery plan that best meets their needs and unique requirements.

With respect to access controls, the general set of requirements is:

• establish and maintain formal, documented policies and procedures for granting different levels of access to health care information,
  
• establish and maintain formal, documented policies and procedures for limiting physical access to an entity while ensuring that properly authorized access is allowed,
  
• limit access to health information (by implementing a procedure for emergency access as well as enforcing either context-based access, role-based access, or user-based access) so that only those employees who have a business need may access such information,
  
• execute entity authentication to prevent the improper identification of an entity who is accessing secure data,
  
• protect communications containing health information that are transmitted electronically over open networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient, and
  
• to protect their information systems from intruders trying to access such systems through external communication points.

Read past HIPAA Legal Q/A articles.

This article was co-authored by Rachel H. Wilson, Esq., an associate at Pepper Hamilton.

Disclaimer: Steve's responses offer information that is general in nature and should not be relied upon as legal advice. Only your attorney is qualified to evaluate your specific situation and provide you with customized advice.

Have a question you'd like Steve to discuss in HIPAAlert? Send it to and he'll be glad to consider using it in a future column, with or without attribution.