Immediate Takeaways

​

• Separate clinical urgency from permanent privilege; use emergency access with logging and after-action review.

• Keep workforce, contractor, student, researcher, vendor, and device identities in one governance model.

• HIPAA Security Rule updates are proposed, so build now around stronger access controls, audit controls, encryption, and documented risk management.

• Measure patient-safety impact alongside security outcomes.

Action Plan

​

• Map systems that create, receive, maintain, or transmit ePHI.

• Automate joiner-mover-leaver flows for clinical staff, contractors, and rotating roles.

• Review access to EHR, pharmacy, lab, billing, and analytics platforms.

• Implement break-glass controls with reason capture, expiry, and review.

Control Checklist

​

• Role model for clinical, non-clinical, vendor, research, and temporary access.

• Audit trail for PHI access, privileged changes, emergency access, and failed access attempts.

• Risk-based review cadence for EHR, revenue cycle, and connected care platforms.

• Vendor and medical-device support access with approval, time limit, and logging.

• Evidence pack for HIPAA safeguards, incident investigations, and privacy office review.

Useful References
 

HHS HIPAA Privacy Rule

HHS HIPAA Security Rule guidance

Federal Register: 2025 proposed HIPAA Security Rule update