Here are sample questions to ask as a quick self-assessment tool about Access Control, whether you are a healthcare provider referred to as a Covered Entity (CE), or a Business Associate (BA).

  1. Who among your workforce staff and/or Business Associates has authorized access to PHI?
  2. What is the data access control method applied for authorized and unauthorized persons?
  3. Who has an Access Granting Authority for your organization’s PHI?
  4. Who has the Access Granting Administration role/responsibility in your organization?
  5. What are your Access Rights Requirement(s), if any?
  6. Do you have a User Account Management policy and procedures in place in order to:
    • Setup User Account requirements.
    • Identify Access Rights.
    • Ensure User identification and authentication.
    • Security of Access Control data.
    • Modify or terminate Access Rights.
    • Maintain Access Control logs for at least six years.
  7. Do you have an Emergency Access plan and/or procedures to ensure availability of or access to PHI during an emergency?
  8. Has your organization instituted an automatic logoff or lockout device or system to prevent unauthorized access to PHI?
  9. What mechanisms (if any) do your devices or systems have in place to encrypt and decrypt PHI to deter access to data by unauthorized persons?

BREACH REPORT: CASES CURRENTLY UNDER INVESTIGATION SINCE JULY 2022

As of August 20, 2022

Below is actual data from the HHS OCR Portal. These are cases currently being investigated by said government agency. This data is posted in compliance with §13402 of the HITECH Act. Protected Health Information (PHI) breaches involving at least 500 individuals must be reported to and published by the HHS OCR Secretary.

Name of Covered Entity State Covered Entity Type Individuals Affected Breach Submission Date Type of Breach Location of Breached Information
Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc. NC Business Associate 1362296 08/14/2022 Unauthorized Access/Disclosure Electronic Medical Record
Northwestern Medical Center VT Healthcare Provider 584 08/09/2022 Unauthorized Access/Disclosure Electronic Medical Record
Steward Medical Group FL Healthcare Provider 2188 07/26/2022 Unauthorized Access/Disclosure Electronic Medical Record
Santa Rosa County District Schools FL Health Plan 9424 07/25/2022 Unauthorized Access/Disclosure Other
Phoenixville Hospital PA Healthcare Provider 934 07/07/2022 Unauthorized Access/Disclosure Desktop Computer
Cheyenne Regional Medical Center WY Healthcare Provider 1652 07/05/2022 Unauthorized Access/Disclosure Desktop Computer, Electronic Medical Record

Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

References:

  1. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
  2. https://www.law.cornell.edu/cfr/text/45/164.312
  3. https://csrc.nist.gov/glossary/term/authorization
  4. https://csrc.nist.gov/glossary/term/identification
  5. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  6. https://www.law.cornell.edu/uscode/text/42/17932