This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Workforce Security: Access Control

Reference: 45 CFR 164.308(a)(3)(ii)(A)
Last Updated: July 5, 2023


The purpose of the Access Control policy is:

  • Establish written procedures for granting and revoking access to protected health information and computer systems.
    • Develop levels of access to each Individuals and required changes based on employee’s responsibilities (promotions, termination, changes in duties, etc.).

Baseline: Access to Information systems and Electronic Patient Health Information (EPHI) shall be based on actions to be completed by the team member’s supervisor/manager as follows:

  • Only the team member’s supervisor or manager can grant access to the Organizations Information Systems.
  • Access to the information system or application may be revoked or suspended, consistent with the current policies, if there is evidence that an individual is misusing information or resources.
  • Any individual whose access is revoked or suspended may be subject to disciplinary action or other appropriate corrective measures.
  • Each supervisor/manager shall ensure that only team members who require access to Information Systems are granted access. Furthermore, each supervisor/manager shall confirm that the access to the Information Systems and EPHI granted is the minimum necessary access required.
  • If the team member no longer requires access, it is the supervisor or manager’s responsibility to complete the necessary process to terminate access.


Procedures: Prior to granting access the supervisor/manager shall confirm that the following tasks have been completed:

  • Background checks as described in the Workforce Clearance Policy have been completed.
  • Position Description has been completed and identifies the access to be given to the team member. Business Associates must have the access for each position identified in their Business Associates Agreement or an attachment to the same.
  • Security training has been completed.
  • Team member has been assigned his/her own personal login and password to the relevant systems.
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram