§164.308(a)(3)(ii)(B): Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
Audit Inquiry
Does the entity have policies and procedures in place to determine that a workforce member’s access to ePHI is appropriate?
Does the entity determine whether a workforce member’s access to ePHI is appropriate?
Obtain and review documentation related to workforce clearance procedures. Evaluate and determine whether such procedures has been incorporated to determine whether a workforce member’s access to ePHI is appropriate.
Elements to review may include but are not limited to:
• Clearing workforce members prior to authorizing access to ePHI
• Revalidation of workforce members’ clearance
• Frequency of revalidating workforce members’ clearance.
Obtain and review documentation demonstrating the clearance process prior to granting workforce members access to ePHI. Obtain and review documentation demonstrating approval or verification of access to ePHI (e.g., approved access request forms, electronic approval workflow, etc.). Evaluate and determine if workforce members were granted appropriate access to ePHI based on the clearance process prior to gaining access to ePHI.
Has the entity chosen to implement an alternative measure?
If yes, obtain and review entity documentation of why it has determined that the implementation specification is not a reasonable and appropriate safeguard and what equivalent alternative measure has been implemented instead.
Evaluate documentation and assess whether the alternative measure implemented is equivalent to the protections afforded by the implementation specification.
Required/Addressable
Addressable