Information Access Management I

The next section under the Administrative Rules is Information Access Management. Generally agencies must implement policies and procedures for authorizing access to EPHI. There are 3 tasks in this section. The first is a required task and the 2nd and 3rd are addressable.

The first task is to implement procedures to isolate and protect EPHI from a parent organization. Basically, you must keep all EPHI protected even from parent or other affliated organizations unless there is a valid reason for the data to be made available to them. Your patient is not their patient. If access is to be granted, you must insure all other security rules are considered when you grant the access. This is a required task.