Operate a mechanism to track access to protected health information

Establish with management and operations to track access to protected health information, within the purview of the organization and as required by law and to allow qualified individuals to review or receive a report on such activity. Work with all organization personnel involved with any aspect of release of protected information to ensure coordination with the organization’s policies, procedures and legal requirements and account for and administer individual requests for release or disclosure of personal and/or protected information

Limit information system access to an authorized user, processes acting on behalf of an authorized user, or devices and to the types of transactions and functions that authorized users are permitted to exercise. Create an access control list of personnel who are authorized to use the information systems. Authorized users are permitted to pass information to other individuals or through approved systems. Mandatory access controls restricts the capability of authorized users to modify systems, components, and/or access to same. Define permitted devices and the types of transactions and functions that authorized users are permitted to exercise.

Define which authorized users may perform the following system security tasks:

  • Grant privileges to other individuals
  • Change security attributes for individuals, information systems, or system components
  • Choose the security attributes to be associated with newly-created or revised systems
  • Change the rules governing access control
  • Source :