This section of HIPAA is concerned with access control. In the IT infrastructure of a Medical organization, proper access is essential for patient privacy. Furthermore, access must be restricted to a “need to know” basis to prevent leaks to unauthorized third parties. To this end, this audit seeks to a) make sure all access is restricted (that is to say requires some more of credential validation before access) and auditable to a unique single identity (group or individual) and b) to make sure that the user credentials (passwords, pins, etc.) are strong and secure within reason. By enforcing the above aspects of HIPAA the organization can be sure that all access is secure and that patient privacy and confidentiality are maintained. This aspect of HIPAA is also important for legal issues that may arise from a lawsuit or employee misconduct.
The following is the legal text from CFR 45-164-312, which deals with access controls:
Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health and records information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4).
You can view the embedded presentation below using the SlideShare applet below. The demo video form YouTube is automatically embedded for your convenience.
Some good references to get started with HIPAA: