Information Access Management III

The last task under Information Access Management is to implement policies and procedures that, based on access authorization policies, establish, document, review, and modify a users right of access to a workstation, transaction, program or process. This task is addressable.

This is kind of an overview of the Information Access management requirement. Basically you have to have a method of determining who has rights, how to assign the rights, review and modify rights as needed, and document these policies and procedures. Note that granting access to a workstation may or may not be sufficient. A person may have access to a workstation but may not have access to certain applications that contain EPHI. Also a person may have access to an EPHI application but may not have access to certain EPHI components within the application.