Access Control Policy

5. Procedures

1. UNIQUE USER IDENTIFICATION (Required — 164.312(a)(2)(i))

1.1 Every workforce member who accesses ePHI systems shall be assigned a unique user identifier (username) that is not shared with any other person.

1.2 Shared, generic, or group accounts are prohibited for accessing systems containing ePHI. Where a system requires a shared account for technical reasons, the exception must be approved by the Security Officer, documented with business justification, and compensating controls (e.g., enhanced logging) must be implemented.

1.3 User identifiers shall not be reassigned to other individuals. When a workforce member separates, their user ID shall be disabled, not reassigned.

1.4 The IT Manager shall maintain a list of all active user identifiers mapped to the individual workforce member.

2. EMERGENCY ACCESS PROCEDURE (Required — 164.312(a)(2)(ii))

2.1 [PRACTICE NAME] shall establish emergency access ("break-glass") procedures for obtaining access to ePHI during an emergency when the normal access mechanisms are unavailable.

2.2 Emergency access credentials shall be: stored in a sealed envelope in a secure location (e.g., a locked safe) accessible to the Security Officer and Practice Administrator, inventoried and tested at least [SEMI-ANNUALLY/ANNUALLY], and rotated (new credentials generated) after each use or test.

2.3 Any use of emergency access credentials shall be: logged automatically by the system, documented by the person who used them (including the reason and the data accessed), reviewed by the Security Officer within 24 hours of use, and followed by a return to normal access procedures as soon as possible.

2.4 Emergency access shall follow the principle of least privilege: it shall permit access to the ePHI actually needed to address the emergency and shall not be used as a general-purpose bypass of access controls. Note that the Privacy Rule's minimum necessary standard does not apply to disclosures to, or requests by, a health care provider for treatment (45 CFR § 164.502(b)(2)(i)); emergency access procedures must therefore be designed to ensure that workforce members can reach the ePHI required for patient care or system recovery without obstruction, while access beyond that need is avoided and all use is logged and reviewed.

3. AUTOMATIC LOGOFF (Addressable — 164.312(a)(2)(iii))

3.1 All workstations and devices that access ePHI shall be configured to automatically lock or log off after [NUMBER] minutes of inactivity.

3.2 For clinical workstations where auto-logoff may impede patient care, the Security Officer may approve an alternative session timeout with compensating controls (e.g., proximity badges that lock when the user walks away, tap-to-unlock features).

3.3 Remote sessions (VPN, remote desktop) shall have a session timeout of no more than [NUMBER] minutes of inactivity.

3.4 If [PRACTICE NAME] determines that automatic logoff is not reasonable and appropriate for a specific system, the decision must be documented with the alternative security measure implemented.

4. ENCRYPTION AND DECRYPTION (Addressable — 164.312(a)(2)(iv))

4.1 Encryption at Rest: All devices that store ePHI shall use full-disk encryption meeting current standards: - Windows devices: BitLocker with AES-256 - Mac devices: FileVault 2 with AES-256 - Mobile devices: Device-native encryption (enabled by default on modern iOS and Android) - Servers: Full-disk or volume encryption with AES-256 - Removable media: AES-256 encryption required before any ePHI is stored

4.2 Encryption in Transit: See the Transmission Security Policy for encryption requirements during electronic transmission.

4.3 Encryption Key Management: Encryption keys shall be protected from unauthorized access. Key recovery mechanisms shall be documented and tested. Lost encryption keys shall be reported to the IT Manager immediately.

4.4 If [PRACTICE NAME] determines that encryption is not reasonable and appropriate for a specific system or use case, the decision must be documented with an equivalent alternative measure, per the addressable specification process at 45 CFR § 164.306(d).

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Defines access control standards. Approves exceptions to shared account and auto-logoff requirements. Manages emergency access credentials. Reviews emergency access usage.

IT Manager/Vendor ([IT CONTACT NAME]): Implements and configures access controls on all systems. Maintains the user identifier registry. Configures auto-logoff settings. Implements encryption on all devices and servers. Manages encryption key storage.

All Workforce Members: Use only their assigned unique user identifier. Do not share login credentials. Lock workstations when stepping away. Report lost or compromised credentials immediately.

7. Review Schedule

This policy shall be reviewed at least annually. Active user identifiers shall be reviewed quarterly (see Workforce Security Policy). Emergency access credentials shall be tested at least semi-annually. Encryption configurations shall be verified during the annual security evaluation.

8. Regulatory References

45 CFR § 164.312(a)(1) — Access control (Required) 45 CFR § 164.312(a)(2)(i) — Unique user identification (Required) 45 CFR § 164.312(a)(2)(ii) — Emergency access procedure (Required) 45 CFR § 164.312(a)(2)(iii) — Automatic logoff (Addressable) 45 CFR § 164.312(a)(2)(iv) — Encryption and decryption (Addressable) 45 CFR § 164.306(d) — Implementation specifications for addressable safeguards NIST SP 800-111 — Guide to Storage Encryption Technologies HHS Guidance on Rendering Unsecured PHI Unusable, Unreadable, or Indecipherable (encryption safe harbor under 45 CFR § 164.402)