Here are some things to consider as a business associate.
First, each user accessing ePHI must be assigned a unique name or number to identify and track the user’s identity.
Next, procedures should be established to obtain the necessary ePHI in the event of an emergency. In addition, authenticated access sessions should be terminated if they are not used for a period of time.
Of course, EPHI in storage or in transit should be encrypted. In addition, a logging mechanism should be in place to track changes to EPHI and prevent it from being changed or destroyed without authorization.
Finally, it must capture who is trying to access the PHI. Establish and implement policies and procedures for limiting physical access to the system and the facilities where the system is located.
Prepare an emergency operations plan that allows access to the facility to recover lost data. Prepare and implement policies and procedures to protect the facility and computers from unauthorized physical access, tampering, and theft.
Implement procedures to control and authenticate access to the facility based on roles and functions, including visitor management and access to software programs. Implement procedures to document and document repairs and changes to facilities related to security, such as walls, doors, locks, etc.
Establish policies that define the functions, procedures, and physical attributes of each specific workstation or class of workstations that have access to ePHI.
The ePHI should ensure that physical safeguards are in place to prevent access to the workstations to which it is accessible; maintain records of the movement of hardware and electronic media, including the ePHI, and control who is responsible for the movement.