What is an authorization list?

An authorization list is a permission or a list of individuals/entities allowed to access protected health information (PHI). It specifies who can view, share or handle sensitive patient data within healthcare and ensures authorized access only.

Access to the authorization list is restricted to individuals who require it to manage access controls and authorization management, such as authorized administrators and supervisors or managers.

Authorization list details include:

1. Individual or entity identification: Details such as names, roles, or unique identifiers of individuals or entities authorized to access PHI.
2. Specific permissions or access rights: The level of access granted to each authorized individual or entity, specifying what type of PHI they can access and for what purposes.
3. Validity and duration: The time frame for which the authorization is valid.
4. Purpose of access: The reason or specific goals for which access to PHI is granted, confirming it is only granted for lawful and necessary functions.
5. Record of authorizations: A comprehensive record documenting the granting and management of access permissions, often including timestamps or dates of authorization and any modifications made to access rights over time.

Is an authorization list necessary in all organizations?

HIPAA mandates implementing appropriate administrative, technical, and physical safeguards to protect PHI in all healthcare organizations. While the term "authorization list" like HIPAA compliant email might not be explicitly stated in HIPAA, the concept of niche and tailored measures to guard PHI is foundational. 

See also: A guide to HIPAA and access controls

How to implement an authorization list

Data classification and role mapping

Begin by categorizing PHI based on sensitivity and criticality. Assign roles to specific data categories, mapping which parts need access to particular types of PHI.

Role-based access control (RBAC)

Implement a role-based access control model, assigning roles and associated permissions according to job functions. Define what each role is allowed to access based on their responsibilities.

Fine-grained access control

Utilize a fine-grained access control system that provides precise control over specific elements of PHI. This allows nuanced control over who can access what within a broader role-based framework.

Centralized access management system

Employ a centralized access management system or software that allows administrators to efficiently manage access rights. This system should track user activity and provide logs for audits.

Access request and approval process

Establish a process for requesting access to PHI. Implement an approval workflow where requests are reviewed and approved by authorized individuals, ensuring proper validation and necessity.

Automated access revocation

Set up automated mechanisms for access revocation in cases of job role changes, terminations, or when access is no longer necessary. Automating this process helps prevent unauthorized access.

Least privilege principle

Adhere to the principle of least privilege, granting the minimum level of access necessary for each role to perform their job. This limits exposure and potential damage in case of a security breach.

See also: What is a HIPAA authorization form?