164.312(a)(2)(i) – Unique User Identification (Required)

Illustrative Controls and TIBCO LogLogic Solution

All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) must be uniquely identifiable. Ensuring all users have uniquely identifiable IDs ensures that accurate and complete audit trails can be maintained. Deficiencies in this area can significantly impact accountability. For example, users logging in using shared IDs can modify healthcare records. This can prevent future audits to identify who has modified the data.

To satisfy this requirement, administrators must ensure that not all logins are shared. Administrators must review the ID list to identify IDs that might be a generic ID and question who is using it and why it is there. Administrators can review the time and sources of the logins to determine whether they overlap. If the time overlap and sources are different, it indicates a shared (or generic) ID. Administrators must also validate that attempts to gain unauthorized access to healthcare reporting systems and subsystems are logged and are followed up on a timely basis.

Reports and Alerts

Use the following link or reference to see the 164.312(a)(2)(i) reports and alerts: 164.312(a)(2)(i) – Unique User Identification (Required).