Implement technical policies and procedures to allow access to ePHI only to authorized persons or software programs
Technical access controls ensure that only authenticated, authorized users and systems can access ePHI. This requires assigning unique identifiers to every user so activity can be attributed, establishing procedures for emergency access when normal systems are unavailable, automatically logging off inactive sessions, and encrypting ePHI to render it unusable to unauthorized parties. These controls are the technical implementation of the access authorization decisions made in administrative safeguards.
Implementation steps
- 1
Assign unique user identification to every workforce member
Assign every workforce member a unique username or identifier for accessing systems containing ePHI. Shared accounts and generic logins (e.g., 'admin', 'nurse-station') are prohibited because they prevent attribution of activity to a specific individual. Implement this in your identity provider and enforce it on all ePHI systems.
okta azure-ad microsoft-active-directory - 2
Establish emergency access procedures
Define procedures for obtaining access to ePHI during an emergency when normal authentication systems are unavailable. Emergency access procedures must be documented, access must be logged, and it must be reviewed after the emergency to ensure access was appropriate. Balance security with clinical need: in a patient safety emergency, ePHI must be accessible.
confluence - 3
Implement automatic logoff
Configure systems containing ePHI to automatically log off users after a period of inactivity. The appropriate timeout depends on the clinical context: 5 to 15 minutes is common. Automatic logoff prevents unauthorized access when a workforce member leaves a workstation unattended.
intune jamf microsoft-endpoint-manager epic azure-ad - 4
Encrypt and decrypt ePHI
Implement encryption for ePHI stored on systems and devices (encryption at rest) and for ePHI transmitted over networks (encryption in transit). HIPAA's encryption requirement is addressable, but the standard of care is to encrypt. Use AES-256 for data at rest and TLS 1.2 or higher for data in transit. Manage encryption keys separately from the encrypted data.
aws-kms azure-key-vault intune
Evidence required
Unique user ID assignment
Evidence that all users have unique identifiers and shared accounts are not used.
- - Identity management system user list
- - Policy prohibiting shared accounts
- - Access review confirming no shared logins
Automatic logoff configuration
Evidence that sessions auto-terminate after inactivity.
- - Group Policy or MDM session timeout settings
- - Application session timeout configuration
Encryption configuration
Evidence that ePHI is encrypted at rest and in transit.
- - Full-disk encryption policy and deployment report
- - TLS configuration for ePHI systems
- - Database encryption configuration
Related controls
Implement policies and procedures to protect ePHI from improper alteration or destruction
Integrity
Implement procedures to verify that a person or entity seeking access to ePHI is who they claim to be
Person or Entity Authentication
Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks
Transmission Security
Implement procedures to ensure workforce members have appropriate access to ePHI and prevent unauthorized access
Workforce Security