The Technical Section

The next section of the HIPAA Security Rule is the Technical Section. The Technical Section consists of several components. The first is Access Control, which consists of 2 required tasks and 2 addressable tasks. The Access Control component requires agencies implement technical policies and procedures for electronic information systems that allow access only to those persons or software programs that have been granted access rights.

Once you have a policy that defines how persons are given the right to access EPHI, this section defines how you will technically insure the policy is enforced. The first required task under Access Control is Unique User Identification. This task requires that agencies assign a unique name and or number for identifying and tracking user identity. This means that all EPHI users must have a unique network login as well as a unique login to any applications that stores EPHI. If you are not using the user name as part of the identification process, the unique name or number must be able to be tracked to a specific user.