By Iseman Cunningham Riester & Hyde LLP
Covered Entities must implement a “unique user identification” standard for use of the Covered Entities’ information systems. Unique user identification is a “required” specification under the Access Control standard and must be implemented by all Covered Entities.
As the name implies, unique user identification refers to the use of a unique name or number to identify and track specific individuals using the information system. Use of a unique name or number is an aid in verifying the identity of the person using the system. An effective unique user identification policy will ensure that system activity can be traced to a specific individual.
Policies concerning unique user identification should not overlook ongoing maintenance of user identification data. User identifications that do not correlate with active workforce members (such as those of former employees) present an increased risk for abuse. Consider setting automated system monitors to disable user identifications that remain inactive for certain periods of time (30 days, for example). The policies may also address temporary disabling for employees leaving the office for extended periods, such as medical/family leave or vacations.
HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.
(c) 2004Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.
