§164.308(a)(4)(ii)(B): Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

Audit Inquiry

Does the entity have policies and procedures in place to grant access to ePHI for workforce members?

Does the entity grant access to ePHI for workforce members?

Obtain and review policies and procedures. Evaluate the content relative to the specified performance criteria for granting access, including whether authority to grant access and the process for granting access has been incorporated.

Elements to review may include but are not limited to:
• Workforce members or roles required to approve request to create information system accounts
• Procedures to create enable, modify, disable, and remove information system accounts
• Determination of what the authorization of access is based on

Obtain and review documentation associated with granting of access to ePHI (i.e., paper or electronic request). Evaluate and determine if the procedures for granting access to ePHI are in accordance with related policies and procedures.

Obtain and review documentation of newly hired workforce members’ access to ePHI. Evaluate documentation to determine the granting of access to ePHI, including whether the levels of access they have to systems containing, transmitting, or processing ePHI, are appropriate.

Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.