Appendix Q 449
3. Where systems can facilitate access control to electronic protected health
information at the transaction level, is this functionality used?
Guidance: If the electronic protected health information is accessed via
some application, the access control features might allow access to be con-
trolled at the transaction level. This is important because we sometimes
tend to think of access at the network or file level. At the application level,
features may exist that allow more granular control. Keep in mind, howev-
er, that there is maintenance associated with providing this type of access.
Client Response:
ii. Access Establishment and Modification
“Implement policies and procedures that, based upon the entity’s access authorization
policies, establish, document, review, and modify a user’s right of access to a work-
station, transaction, program, or process.”
13
This requirement addresses the modification of a user’s access based on that indi-
vidual’s job requirements.
1. Is there a policy and procedure for the establishment and subsequent
adjustment or modification of a user’s access based on change in positions
or other changes in status?
Guidance: This is very much related to the earlier specification on Access
Authorization. The user ID administration policy and procedure should al-
low for people’s jobs to be changed and their access be changed accord-
ingly. Look for human resources (HR), department management, and IT to
be involved in this process.
Client Response:
2. Is users’ access reviewed on a regular basis?
Guidance: Although this is not a required item, it is a good idea in most
cases. If the termination process is not effective, reviewing user access is
a good mechanism for ensuring, on a regular basis, that only authorized us-
ers have access and that the level of access is appropriate. In very small en-
tities, this probably will not be as important because “everyone knows
everyone.”
AU1706_book.fm Page 449 Tuesday, August 17, 2004 11:02 AM