Objective: Access to ePHI must be limited to authorized individuals based on their job responsibilities within the clinical practice, and identity must be reliably verified through secure authentication protocols, regardless of work set-up (e.g., onsite, hybrid, fully online).
Guidelines
Role-Based Access Control (RBAC)
Access to Electronic Medical Records (EMRs) and other support platforms must be based on clearly defined roles and responsibilities.
Providers and staff should be granted only the minimum access necessary to fulfill their duties.Access rights must be reviewed routinely and updated promptly when job roles change, when staff are terminated, or when contractors complete their assignments.
Password Management & Multi-Factor Authentication (MFA)
All systems containing or transmitting ePHI must require the use of strong, unique passwords. Password management tools (such as 1Password) can be used to generate, securely store, and organize passwords. These tools reduce human error and ensure passwords are not reused or written down.
Passwords must not be shared or reused across different systems or users.
Multi-factor authentication (MFA) is required for all users accessing systems with ePHI, including remote users.
Automatic account lockouts must be enabled after multiple failed login attempts to prevent any potential unauthorized access.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article