Security in any computer system requires formal policies and procedures for granting and controlling access to available resources. Your practice should develop specific criteria for granting defined levels of access to all users and adopt the required mechanisms to maintain access control.
Before you grant a user access to your practice’s computer system, you must determine his or her level of access based on job role and the information that person needs to get the job done. For example, a billing department employee will need access to a patient’s financial information as well as scheduling information to determine when the next office visit is due. On the other hand, a receptionist might need access only to the scheduling system; if the receptionist in your practice has no reason see the financial or personal medical data of patients, you should establish a method to restrict his or her access to that data.
Note that in the HIPAA final rule, the term “access control” was removed as being too narrow. Nevertheless, access controls will form the basis of your HIPAA security plan, so it is important that you understand them.
Information Model
A conceptual model of the information needed to support a business function or process.
Information System
Information System means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.