Assign a unique name and/or number for identifying and tracking user identity

Assign a unique name and/or number for

identifying and tracking user identity Risk: secure

Description

Maintaining separate credentials for each user of information systems is critical to ensuring individual accountability and easing investigation of potential data breaches.

The HIPAA Security Rule requires Covered Entities to implement a “Unique User Identification” standard for systems holding electronically protected health information (EPHI). Unique User Identification is a “required” specification under the Access Control standard and should be employed for all EPHI systems.

As the name implies, unique user identification refers to using a unique name or number to identify and track specific individuals using EPHI systems, frequently referred to as “Logon name” or “User ID”. Using this unique name or number provides a means to verify the person's identity using the system. An effective unique user identification practice ensures that system activity can be traced to a specific individual. Never share your user ID on any system, as you would not like to be held responsible for someone else’s actions.

Recommendation

Assign unique user identifiers (user IDs) that identify members, and enable activities performed on ePHI Systems with a user identifiers to be traced to an individual workforce member and provide access to ePHI Systems.

Links

• HIPAA Security Rules
• Security Standards: Technical Safeguards