We’re continuing our discussion from the previous blog post, “The Importance of Separation of Duties”, and getting into more details surrounding documenting and tracking your processes.  

  • Document the separation of duties: 
      • It should be formally documented who from your organization is responsible for each information system and those responsibilities should be spread out to different individuals.  
          • Specifically, who is responsible for configuring, auditing, and granting access to systems? 
          • You can define this by job title or specific person. We suggest job title to avoid having to change your policy and procedure documents every time there is a staff change. 
  • Documentation and tracking of requests: 
      • Using a ticketing system to track access requests, auditing of systems, or support incidents will track that the separation of duties is being executed properly.  
      • Audit logs could be used to identify who is doing what and corroborate compliance with separation of duties standards. 
      • It’s important to make sure the records are being kept for an appropriate amount of time and are reviewed with a defined cadence.  


HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(4)(ii)(B), 164.310(a)(1), 164.310(b), 164.312(a)(1), 164.312(b), 164.312(c), 164.312(e)