Data Access Governance

Required Inputs

Methodology

Step 1: Access Control Framework Design

Establish the organizational access control architecture:

Role-Based Access Control (RBAC) Model:

Minimum Necessary Matrix:

• For each role, define the minimum PHI data elements needed to perform the job function
• Restrict access to only the data categories required (demographics, clinical notes, labs, imaging, medications, billing)
• Implement view restrictions by patient population (own patients, department, facility, system-wide)
• Define temporal restrictions (how far back historical records are accessible)

Step 2: Access Provisioning Procedures

Define the lifecycle of access from request through revocation:

Access Lifecycle Management:

Access Request Approval Authority:

• Standard access (within role template): Direct supervisor approval
• Elevated access (beyond role template): Department director + Security Officer approval
• Emergency access (break-the-glass): Automatic with retroactive review within 24 hours
• Research access: IRB approval + Privacy Officer review

Step 3: Minimum Necessary Implementation

Operationalize HIPAA's minimum necessary standard (45 CFR 164.502(b)):

Minimum Necessary Categories:

• Treatment: Minimum necessary does not apply to disclosures for treatment purposes between providers (45 CFR 164.502(b)(2)(i)) — but organizations may still implement reasonable restrictions
• Payment: Limit to data elements needed for the specific payment activity
• Healthcare operations: Limit to data needed for the specific operational purpose
• Workforce access: Implement role-based restrictions that provide only the data needed for the job function
• Routine disclosures: Define standard protocols for recurring disclosure types (e.g., subpoena response, public health reporting)
• Non-routine disclosures: Individual review for each non-routine disclosure request

Implementation Approaches:

• EHR role templates restricting chart sections by role (e.g., nurses cannot view psychotherapy notes)
• Data element filtering in reports and extracts (include only requested/needed fields)
• Patient population restrictions (providers access only their assigned patients or department)
• Time-based restrictions (access limited to patients with encounters within a defined period)
• Purpose-based access (user must specify reason for accessing record outside their assigned patients)

Step 4: Audit Logging and Monitoring

Implement comprehensive access monitoring:

Required Audit Log Elements (45 CFR 164.312(b)):

• User ID and role at time of access
• Date and time of access
• Patient record accessed (patient identifier)
• Action performed (view, create, modify, print, export, delete)
• System or application accessed
• Access location (workstation ID, IP address, remote/on-site)

Proactive Monitoring Program:

Step 5: Unauthorized Access Detection and Investigation

Detect and investigate potential unauthorized access (snooping):

Detection Indicators:

• Accessing records of family members, neighbors, celebrities, or co-workers without treatment relationship
• Accessing own medical record through clinical system (rather than patient portal)
• Accessing records after treatment relationship has ended without legitimate purpose
• Accessing records from unusual locations or at unusual times
• Accessing records flagged for heightened monitoring (VIP, employee health)
• Pattern of accessing records matching news events (accident victims, crime victims)

Investigation Process:

1. Preserve audit log evidence
2. Identify the accessed records and the accessor
3. Determine if a treatment relationship or legitimate business purpose existed
4. Interview the accessor to understand the reason for access
5. Review organizational policy and HIPAA requirements
6. Determine if a privacy violation occurred
7. If violation confirmed: apply sanctions per sanction policy, determine if breach notification is required
8. Document the investigation and outcome

Sanction Policy Application:

• First offense, no harm: Verbal warning and re-education
• Repeat offense or minor harm: Written warning and remedial training
• Intentional or significant: Suspension, termination, and potential referral to OCR
• All violations: Documented in employee file per organizational sanction policy (required by 45 CFR 164.308(a)(1)(ii)(C))

Step 6: Break-the-Glass Procedures

Design emergency access override protocols:

When Break-the-Glass Applies:

• Medical emergency requiring immediate access to patient information not normally accessible to the user
• System failure preventing normal access for active patient care
• Disaster or mass casualty event requiring expanded access

Break-the-Glass Requirements:

• User must acknowledge emergency access is being activated
• System logs the break-the-glass event with enhanced detail
• User must provide justification within 24 hours
• Privacy/Security Officer reviews every break-the-glass event
• Inappropriate use of break-the-glass is subject to sanctions
• Break-the-glass rates are monitored (high rates may indicate role template inadequacy)

Step 7: Periodic Access Review and Recertification

Conduct regular reviews of access appropriateness:

Review Schedule:

Recertification Process:

• Generate access report showing each user's current access rights
• Manager certifies that each user's access is appropriate for current role
• Identify and remove excess access (access creep from prior roles)
• Document recertification completion with manager attestation
• Escalate unresolved excess access to Security Officer

Output Specification

data_access_governance_report:
  assessment_date: string
  systems_in_scope: number
  total_users: number
  rbac_framework:
    roles_defined: number
    users_per_role: object
    minimum_necessary_implemented: boolean
  access_provisioning:
    avg_provisioning_time: string
    avg_termination_revocation_time: string
    orphaned_accounts_found: number
  monitoring_summary:
    audit_log_coverage: number  # percentage of systems
    anomalies_detected: number
    investigations_conducted: number
    violations_confirmed: number
    break_the_glass_events: number
    break_the_glass_justified: number
  recertification:
    last_completed: string
    completion_rate: number
    excess_access_removed: number
  findings:
    - finding: string
      hipaa_reference: string
      risk_level: string
      remediation: string
  compliance_score: number

Analysis Framework

Access Control Maturity Model

Examples

Example: Hospital EHR Access Governance Audit

• Scope: 2,500 EHR users across 450-bed hospital
• RBAC assessment: 28 role templates defined; 92% of users aligned to templates; 8% (200 users) have customized access requiring review
• Minimum necessary: Clinical notes restricted by role; billing staff cannot view psychotherapy notes — compliant
• Provisioning: Average provisioning time 1.2 days (compliant); average termination revocation 6.8 hours (within 4-hour target for 85% of terminations)
• Critical finding: 12 orphaned accounts from employees terminated 30+ days ago still active — immediate revocation required
• Monitoring: 1,847 anomaly alerts in past quarter; 23 investigations initiated; 3 confirmed unauthorized access (2 employee record access, 1 celebrity patient)
• Break-the-glass: 45 events in quarter; 42 justified; 3 inappropriate (sanctions applied)
• Recommendation: Implement automated account deactivation triggered by HR termination record; reduce orphaned account gap to zero

Guidelines

1. Access is a privilege, not a right — all PHI access must be justified by job function
2. Implement least privilege — default to minimum access; add only when justified
3. Automate provisioning and deprovisioning — manual processes are error-prone and slow
4. Monitor continuously — periodic audits alone are insufficient; implement real-time anomaly detection
5. Apply sanctions consistently — inconsistent enforcement undermines the entire governance program
6. Review break-the-glass events promptly — within 24 hours of every occurrence
7. Address access creep — users who change roles accumulate excess access unless actively managed

Validation Checklist

• RBAC framework defined with role templates covering all workforce categories
• Minimum necessary standard implemented with data element and population restrictions
• Access provisioning lifecycle documented from request through termination
• Audit logging enabled across all PHI-containing systems with required data elements
• Proactive monitoring program implemented with defined triggers and response procedures
• Unauthorized access investigation process documented with sanction policy
• Break-the-glass procedures designed with mandatory retroactive review
• Periodic access recertification schedule established and documented
• Orphaned account detection and remediation process in place
• Compliance with 45 CFR 164.312(a) access controls and 164.312(b) audit controls verified

HIPAA Compliance Notes

• Access controls are a required technical safeguard under the HIPAA Security Rule (45 CFR 164.312(a)(1))
• Unique user identification is required (45 CFR 164.312(a)(2)(i)) — shared accounts violate this standard
• Emergency access procedures must be established (45 CFR 164.312(a)(2)(ii))
• Automatic logoff must be implemented (45 CFR 164.312(a)(2)(iii))
• Audit controls must be implemented to record and examine PHI access (45 CFR 164.312(b))
• Minimum necessary standard applies to all uses and disclosures except treatment (45 CFR 164.502(b))
• Sanction policy is a required administrative safeguard (45 CFR 164.308(a)(1)(ii)(C))
• Workforce security procedures are required (45 CFR 164.308(a)(3))
• Access authorization policies are required (45 CFR 164.308(a)(4))
• Documentation must be retained for 6 years (45 CFR 164.316(b)(2)(i))