164.308(a)(3)(ii)(A) – Authorization and Supervision

Illustrative Controls and TIBCO LogLogic Solution

User access rights to systems and data should be in line with defined and documented business needs and job requirements.

Accurately managing user access rights addresses the issues of unintended or malicious modifications of healthcare data. Deficiencies in this area might allow unauthorized modifications that could lead to errors in reporting.

Administrators must determine that the following requirements are met:

• Access rights for privileged User IDs are restricted to least privileges necessary to perform the job.
• Assignment of privileges to individuals is based on job classification and function.
• Requirement for an authorization form that is signed by management and specifies required privileges.
• An automated access control system is being used.
• “Deny-all” setting by default.

To satisfy this control objective, administrators must monitor and verify that all user access to programs and data, and periodically review the user access to files and programs to ensure the users have not accessed items outside of their role. Administrators must select a sample of users who have logged in to healthcare reporting servers and review their access for appropriateness based upon their job functions.

As part of the procedures for the authorization and supervision of workforce members who work with electronic protected health information, TIBCO LogLogic access reports and alerts must be used to validate that the access has been configured correctly and appropriate access is maintained.

Reports and Alerts

Use the following link or reference to see the 164.308(a)(3)(ii)(A) reports and alerts: 164.308(a)(3)(ii)(A) – Authorization and Supervision.