164.308(a)(4) Information Access Management
Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the application requirements of subpart E of this part.
| Implementation Specification | Description |
|---|---|
| 164.308(a)(4)(ii)(A) | Isolating Health Care Clearinghouse Functions (Required)
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. |
| 164.308(a)(4)(ii)(B) | Access Authorization (Addressable)
Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. |
| 164.308(a)(4)(ii)(C) | Access Establishment and Modification (Addressable)
Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process. |