HIPAA is different from the other frameworks on this list. There is no annual audit that decides whether you pass or fail. Nobody mails you a certificate. What there is instead: the threat that the Office for Civil Rights opens an investigation after a breach or a complaint, and the steady drumbeat of hospital systems asking for your documentation before they sign a contract. Both of those are where your HIPAA access controls get tested.
This guide is for executives at companies that create, store, or transmit electronic protected health information. Covered entities and business associates. It explains what HIPAA actually asks for on the access control side, where organizations commonly get in trouble, and what you should be doing about it.
What HIPAA asks for, in plain language
The HIPAA Security Rule splits its requirements into three buckets. Administrative Safeguards (training, risk assessment, governance), Physical Safeguards (facility access, workstation security), and Technical Safeguards (the access control, encryption, and audit logging work). The Technical Safeguards live in a section of the regulations called Section 164.312, and that is where most of the access-related work happens.
The Technical Safeguards you need to know
Six technical safeguards matter for access. I am going to walk through each one in plain language, with the failure mode that I see most often.
Unique user identification
Every person who touches electronic protected health information has to do it under their own account. No shared logins. No "nurseweb1" that a whole shift uses. The requirement is absolute, and it is the one most often broken in clinical settings because it collides with workflow reality.
When a nurse has twelve seconds between patients, a full login feels like an eternity. So the shared workstation stays logged in as a kiosk, and everyone uses the same session. HIPAA does not care that this is practical. The requirement is unique ID, and the auditor will look at your session logs to verify it.
Emergency access procedure
Clinicians occasionally need to reach patient data in a situation where normal authorization is not available. A code blue. A power outage. A patient arriving unconscious. You have to have a documented, controlled way for that to happen, with logs, with a post-incident review, and with someone on the hook for reading those logs.
Every electronic health record product has a break-glass feature. Very few organizations actually use it as a controlled workflow. I regularly see six-figure counts of break-glass events with no review, no alerts, and no documented process. An investigator will ask for those logs early.
Automatic logoff
Sessions that reach patient data have to terminate after a defined period of inactivity. HIPAA calls this "addressable," which does not mean optional. It means you implement it or document a reasonable alternative that achieves the same protection. In practice, everyone implements it.
Encryption
Patient data at rest and in transit has to be encrypted. HIPAA calls this addressable too, but the reason it matters is specific. Under the breach notification rule, encrypted data that gets lost or stolen is generally not a reportable breach. Unencrypted data is. That distinction has saved many companies from seven-figure fines, and it has sunk others.
Audit controls
HIPAA is one of the only frameworks that treats audit logging as its own standalone requirement. You need a record of who accessed which patient record, when, and from where. Authentication logs alone do not satisfy this. You need logs from the electronic health record, from any ancillary system that stores clinical data, and from anywhere else patient data is viewed or exported.
Workforce authorization
Documented role-based access for anyone who touches patient data, with a principle called Minimum Necessary. A biller does not need the full chart. A scheduler does not need clinical notes. A traveling nurse does not need access to patients on a unit they are not assigned to. The rule is strict, and the enforcement is supposed to be technical, not just policy.
The Administrative Safeguards that touch identity
Most of the identity work lives in 164.312, but a couple of pieces in the Administrative Safeguards section matter too.
Section 164.308 requires a risk assessment, workforce security policies, and procedures for authorizing access. Translation: your identity governance program has to have a paper trail. Policies signed by leadership, training records that show your workforce knows the rules, and a way to prove that you periodically review your access model against your assessed risk.
164.308 also requires a sanction policy, which is a written description of what happens if someone violates the access rules. Investigators check that this exists and that you have applied it when violations occurred.
Business Associates and the BAA chain
If a vendor creates, stores, or transmits patient data on your behalf, you need a Business Associate Agreement on file before they touch the data. This is a contract that binds the vendor to HIPAA's requirements and creates a chain of accountability.
Missing or expired BAAs are one of the fastest ways to turn a small incident into a large one. If your payroll vendor gets breached and they had access to patient data without a BAA, you have a reporting obligation and a potential penalty. If they had a BAA, your exposure is usually limited.
Where healthcare teams commonly fail
Four patterns show up in almost every engagement.
Shared clinical accounts. Already covered above. The single most common finding in healthcare IAM.
Break-glass theater. Everyone has the button. Nobody watches who pushes it.
Scope creep on patient data access. Role definitions made sense in 2019. It is now 2026 and every clinician can see every patient record, including the ones they are not assigned to. Celebrity patient admissions get snooped on, investigators find out, and the organization gets headlines.
Unmanaged endpoints. A physician's personal iPad that was never enrolled in mobile device management. A resident's laptop that someone let onto the network. A contractor pulling patient data over an unsanctioned file-transfer tool.
The executive playbook
What I do when a healthcare client hires me to clean up access controls. In the order that produces the most protection for the least cost.
Unique identity without wrecking clinical workflow
The answer to shared accounts is badge tap plus PIN, sometimes with proximity detection. Every clinician has their own identity. The workstation stays logged in as a kiosk, and a badge tap switches the active session in a second or less. The major electronic health record products all support this natively. The work is in configuring it correctly, which is rarely trivial.
Break-glass as a monitored workflow, not a button
Break-glass should grant temporary elevated access, log the event with a reason code, alert a designated reviewer within a defined window, and trigger a post-incident review. I set this up so every break-glass event gets a same-week review by clinical leadership, with documented findings. The review exists in a queryable log the auditor can sample from.
Patient data access logging
Authentication logs are not enough. You need a record of every time patient data was viewed, edited, or exported. That means pulling from the electronic health record, from ancillary systems, and from wherever data gets reported on. These logs go into a security information and event management tool with retention that meets state and federal requirements, usually six years.
Minimum necessary, enforced in the tool
Role definitions should map to clinical scope. A nurse on a surgical unit sees surgical patients. A biller sees billing fields. A scheduler sees scheduling fields. The electronic health record can do this, and the work is in defining the roles correctly and reviewing them when clinical teams reorganize. Reviews should happen at least yearly, more often if your workforce churns.
Endpoint management for anything that touches patient data
Every device is managed, encrypted, and required to prove its posture before it gets a session. Personal devices either go through a locked-down app or do not touch clinical data. Contractors get short-lived credentials tied to their engagement.
Business Associate Agreements as an access control
If a vendor touches patient data and you do not have a current BAA on file, treat that like an unauthorized access grant. Every BAA has an owner, a current version, a renewal date, and a link to the specific technical integration it authorizes. No production integration ships without one.
What an OCR investigation looks like
If a breach or a complaint triggers an investigation, the request list is fairly predictable. Your risk assessment. Your security policies. Your access control matrix showing the role to patient data mapping. Your audit logs for the records affected, for a defined window before and after the incident. Your break-glass logs. Your termination records for anyone who had access during the window.
Organizations that run the playbook above hand over a clean package and move on. Organizations that do not end up negotiating corrective action plans that can last years.
Where to go from here
If you are in healthcare and you have not had an outside review of your access controls in the last twelve months, the Identity Infrastructure Assessment with a HIPAA focus is built for exactly that. It covers the Technical Safeguards, the Administrative Safeguards that back them, and the Business Associate Agreement chain. Healthcare engagements usually take an extra week because of the electronic health record complexity, and the output is tuned to what OCR and your customers' procurement teams actually ask about.