This policy is listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.

Workforce Security: Authorization and/or Supervision (Addressable)

Reference: 45 CFR 164.308(a)(3)(ii)(A)
Last Updated: July 5, 2023


The purpose of the Authorization/Supervision policy is:

  • Establish written procedures for granting and revoking access to protected health information and computer systems.
    • Develop levels of access to each Individuals and required changes based on employee’s responsibilities (promotions, termination, changes in duties, etc.).
  • Establish policies regarding security training and necessary updates.
  • Establish procedure for supervision of vendors when working on or close to protected information.


Procedure: Some of the tasks required under this policy have been covered in greater detail under subsequent policies. Regardless, the basic procedures are as follows:

  • Position descriptions have been updated to define rights to information based on personnel’s responsibilities.
    • Position descriptions accurately reflect assigned duties and responsibilities and enforce segregation of duties.
  • A system of authentication is in place to ensure that Individuals are who they claim to be prior to allowing access to any equipment containing ePHI.
  • Workstations containing computer terminals are secured with physical safeguards to minimize the possibility of unauthorized observation or access to ePHI.
  • Areas where sensitive information is regularly entered or utilized have been secured using barriers to prevent public viewing of ePHI during normal working hours. Wherever feasible these areas will be locked when not in use.
  • Printers and fax machines have been located in the most secure areas available, and will not be located in or near areas frequented by individuals or the public.
  • Written procedures have been developed and are reviewed and updated by the Security Manager to delineate steps needed to grant and revoke access to employees.
Simplify Your Compliance with
Software and Guided Coaching
Let your patients and clients know that you take HIPAA seriously with the HIPAA Seal of Compliance for your website, storefront, and marketing materials.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!

overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram