HIPAA · Identity Lens

HIPAA

HIPAA puts identity at the centre of every ePHI access decision — and at the centre of every breach notification when an attacker gets through.

Back to Thinking

Full name: Health Insurance Portability and Accountability Act — Security and Privacy Rules
Region: United States (extraterritorial for covered entities and their business associates)
Applies to: Healthcare providers, health plans, healthcare clearinghouses, and their business associates that create, receive, maintain, or transmit electronic protected health information (ePHI).

HIPAA's Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect ePHI. The technical safeguards in 45 CFR § 164.312 are dominated by identity-and-access controls. The Privacy Rule (§ 164.500-534) governs how patient identity is recognised and how data-subject-style requests are handled. The Breach Notification Rule (§ 164.400-414) puts identity-driven incidents on a 60-day notification clock.

What it asks for

The Identity Lens

The clauses that bite when identity architecture is weak, rewritten in plain English. Authoritative text is linked below.

§ 164.312(a) — Access control

Unique user identification, emergency access procedure, automatic logoff, and encryption / decryption of ePHI. The unique-user-identification requirement is the explicit prohibition of shared accounts for any system that touches ePHI.

§ 164.312(b) — Audit controls

Hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI. The audit trail is HIPAA's primary evidence base when an incident is investigated.

§ 164.312(d) — Person or entity authentication

Procedures to verify that a person or entity seeking access to ePHI is the one claimed. HHS guidance increasingly expects multi-factor authentication for remote and privileged access.

§ 164.308(a) — Administrative safeguards (workforce security)

Workforce clearance, termination procedures, access authorisation, and periodic review. Joiner / mover / leaver discipline is what closes the HIPAA workforce-security loop.

Where teams miss it

Common Misses

Patterns we see again and again — usually because the identity programme runs in parallel to the compliance programme rather than inside it.

Shared clinical workstations with a single shared login. The unique-user-identification requirement is explicitly violated; the audit trail is meaningless.

Departed clinicians retaining access through provider portals, EHR integrations, or affiliated systems that were not connected to the central HR-driven deprovisioning workflow.

Business-associate identity hygiene assumed in BAAs but never verified — auditors and OCR investigators ask for evidence of upstream controls when a BA breach occurs.

MFA configured for the EHR but not for the underlying database, file share, or backup target — paths the attacker actually uses.

What works

Where Design Pays Off

Patterns we have seen survive supervisory review, audit, and the next change.

Unique-user identity tied to clinical roles and shift patterns, with fast-switching at shared workstations and automatic logoff timing matched to clinical workflow rather than IT defaults.

Audit trail piped into a long-retention store that satisfies the six-year HIPAA documentation requirement without depending on the EHR's own retention.

Workforce deprovisioning that fans out across EHR, downstream applications, federated identity, BAA-connected systems, and revocation of issued credentials — with evidence retained for OCR review.

Authoritative sources

Read the source

Every claim above is checkable. Start here.

U.S. Government Publishing Office

HIPAA Security Rule — 45 CFR Part 164, Subpart C

U.S. Department of Health and Human Services

HHS HIPAA guidance and OCR enforcement actions

NIST

NIST SP 800-66 Rev. 2 — Implementing the HIPAA Security Rule

Related Services

Need a HIPAA-ready identity baseline?

We start with an assessment that maps your identity controls to HIPAA requirements, then design and operate the gaps.

Book a Conversation