Authorization and/or Supervision

To meet HIPAA’s “Authorization and/or Supervision” requirement, you must implement written, repeatable procedures that (1) authorize which workforce members may work with or access ePHI (including where ePHI could be accessed) and (2) supervise that access in a way that prevents inappropriate viewing, use, or disclosure. Your goal is provable control over “who can be near ePHI” and “who is watching the work.” (45 CFR Parts 160, 162, 164)

Key takeaways:

• Define which roles are permitted to access ePHI and which roles may be in ePHI-accessible locations, then enforce it operationally. (45 CFR Parts 160, 162, 164)
• Supervision is a control, not a vibe; document who supervises whom, what gets reviewed, and what triggers escalation. (45 CFR Parts 160, 162, 164)
• Keep evidence that authorization happened before access, and that supervision occurs during normal operations (not only during audits). (45 CFR Parts 160, 162, 164)

“Authorization and/or Supervision” is one of the HIPAA Security Rule Workforce Security implementation specifications. It requires procedures that control workforce interaction with ePHI, including both direct system access and situations where someone could access ePHI simply by being in the wrong place (nursing stations, shared workrooms, server rooms, on-site scanning areas, remote call centers, or any location with unlocked screens, printers, or paper-to-digital workflows). (45 CFR Parts 160, 162, 164)

For a Compliance Officer, CCO, or GRC lead, this requirement becomes practical fast: HR onboarding, identity and access management (IAM), manager oversight, physical workspace rules, and third-party staffing all intersect here. Most breakdowns come from gaps between “policy says only authorized staff can access ePHI” and the operational reality of shared accounts, borrowed badges, shadowing without guardrails, and contractors working in ePHI-adjacent areas without clear supervision.

This page gives you requirement-level implementation guidance you can put into motion: who it applies to, what to build, how to run it, what to retain as evidence, and where auditors push. The focus is on simple, auditable procedures that keep access intentional and supervised. (45 CFR Parts 160, 162, 164)

Regulatory text

Requirement: “Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.” (45 CFR Parts 160, 162, 164)

Operator interpretation (what you must be able to prove)

You need documented procedures that:

1. Authorize workforce members before they can access ePHI (systems, devices, applications, shared drives, ticketing tools containing ePHI, etc.). (45 CFR Parts 160, 162, 164)
2. Authorize or control presence in any location where ePHI might be accessed, even if the role does not need routine access (examples: facilities staff entering clinical areas, IT staff in workrooms with unlocked terminals). (45 CFR Parts 160, 162, 164)
3. Supervise workforce members whose work touches ePHI or happens in ePHI-accessible locations, with clarity on responsible supervisors and what oversight looks like in practice. (45 CFR Parts 160, 162, 164)

HIPAA uses “and/or” because supervision may be part of how you control access in some contexts (for example, trainees, temporary staff, or shadowing). Your procedures should still show intentional control, not informal custom. (45 CFR Parts 160, 162, 164)

Plain-English requirement (what it means day-to-day)

• No one should “end up” with ePHI access. Access should be requested, approved, provisioned, and reviewed. (45 CFR Parts 160, 162, 164)
• If someone works near ePHI, assume exposure is possible unless you put barriers in place (screen locks, clean desk, badge-controlled areas, visitor escort rules, supervised workflows). (45 CFR Parts 160, 162, 164)
• Supervision must be defined and repeatable. Managers should know what they are accountable for (access approvals, periodic review, monitoring exception reports, addressing inappropriate access). (45 CFR Parts 160, 162, 164)

Who it applies to

Entity scope

• Covered Entities and Business Associates. (45 CFR Parts 160, 162, 164)

Operational scope (where this requirement shows up)

• Workforce onboarding and role changes: new hires, interns, residents, temps, volunteers, transfers, promotions. (45 CFR Parts 160, 162, 164)
• System access to ePHI: EHR/EMR, imaging, claims, care management, CRM with patient records, secure messaging, document management, backup consoles. (45 CFR Parts 160, 162, 164)
• Physical and hybrid locations: clinics, hospitals, call centers, remote work, shared workspaces, print/scanning rooms, server/network closets. (45 CFR Parts 160, 162, 164)
• Third-party workforce augmentation: contractors, agency nurses, outsourced billing teams, IT managed service staff operating in ePHI-capable environments. (45 CFR Parts 160, 162, 164)

What you actually need to do (step-by-step)

1) Define “authorization” in your operating model

Create a short procedure that answers:

• Which roles require ePHI access (by job family and system)? (45 CFR Parts 160, 162, 164)
• Who can approve access for each system (system owner, department leader, privacy/security approver)? (45 CFR Parts 160, 162, 164)
• What minimum conditions must be met before provisioning (completed training, signed acknowledgments, background checks if your policy requires them)? (45 CFR Parts 160, 162, 164)

Practical output: an access authorization matrix (role → systems → approval path → baseline access level). Keep it simple; completeness beats elegance.

2) Implement an access request + approval workflow that’s auditable

You need a workflow that produces records. Typical options:

• Ticketing system workflow (ITSM) with required fields and approver identity.
• IAM tool workflow.
• HRIS-driven provisioning with manager attestation.

Control points to include:

• Requestor identity and department (who initiated). (45 CFR Parts 160, 162, 164)
• Business justification tied to role. (45 CFR Parts 160, 162, 164)
• Approver identity and date/time. (45 CFR Parts 160, 162, 164)
• Provisioning confirmation and effective date. (45 CFR Parts 160, 162, 164)
• Removal triggers (termination, transfer, end of contract). (45 CFR Parts 160, 162, 164)

3) Cover “locations where ePHI might be accessed”

Write location-based procedures so non-clinical and non-ePHI roles do not become accidental viewers:

• Badge/door controls for high-exposure areas where feasible. (45 CFR Parts 160, 162, 164)
• Escort rules for visitors and non-authorized staff (including some contractors). (45 CFR Parts 160, 162, 164)
• Workstation positioning and auto-lock expectations where screens can be seen by passersby. (45 CFR Parts 160, 162, 164)
• Printer/fax/scanner handling procedures; avoid unattended output containing ePHI. (45 CFR Parts 160, 162, 164)

Your procedure should explicitly connect the location controls to workforce authorization and supervision, since the regulation calls out locations directly. (45 CFR Parts 160, 162, 164)

4) Define supervision requirements by workforce category

Supervision must be concrete. Define categories and oversight mechanics, for example:

• Trainees/interns: must be assigned a named supervisor; supervisor reviews access granted; supervisor verifies appropriate use during training tasks. (45 CFR Parts 160, 162, 164)
• Temporary/agency staff: supervisor confirms contract start/end dates; access is time-bounded; supervisor validates minimum necessary access. (45 CFR Parts 160, 162, 164)
• IT/admin staff with elevated access: supervision via change approvals, privileged access controls, and post-activity review aligned to your internal process. (45 CFR Parts 160, 162, 164)

Avoid a supervision procedure that says “managers supervise staff.” Auditors will ask what that means operationally.

5) Add periodic manager attestation of access (keep it workable)

Implement a recurring review where managers/system owners confirm:

• Their staff still need access.
• Access matches job duties.
• Departed or transferred workforce members are removed. (45 CFR Parts 160, 162, 164)

If you use Daydream to manage access review campaigns and retain reviewer attestations, you get cleaner evidence with less manual chasing. Keep the scope focused on ePHI-bearing systems first, then expand.

6) Tie the requirement to incident response and sanctions

Your procedures should point to what happens when supervision detects inappropriate access:

• escalation to Privacy/Security,
• investigation steps per your internal process,
• sanctions per your workforce disciplinary policy. (45 CFR Parts 160, 162, 164)

You do not need lengthy narrative here; you need a clear handoff.

Required evidence and artifacts to retain

Keep evidence that shows design and operation:

Core artifacts (design)

• Workforce authorization and supervision procedure(s). (45 CFR Parts 160, 162, 164)
• Role-to-system access authorization matrix (or equivalent). (45 CFR Parts 160, 162, 164)
• Location-based access/escort procedure for ePHI-accessible areas. (45 CFR Parts 160, 162, 164)
• RACI-style assignment: system owner, access approver, provisioning team, supervisor responsibilities. (45 CFR Parts 160, 162, 164)

Operating evidence (run-state)

• Access requests/approvals with approver identity and timestamps. (45 CFR Parts 160, 162, 164)
• Provisioning/deprovisioning logs or tickets. (45 CFR Parts 160, 162, 164)
• Manager/system owner access review attestations and remediation records. (45 CFR Parts 160, 162, 164)
• Training completion records tied to access eligibility, if your process requires training before granting access. (45 CFR Parts 160, 162, 164)
• Contractor/agency rosters and supervisor assignments for ePHI-adjacent work. (45 CFR Parts 160, 162, 164)

Common exam/audit questions and hangups

Expect questions like:

• “Show me how a new hire gets access to the EHR. Where is the approval captured?” (45 CFR Parts 160, 162, 164)
• “How do you prevent housekeeping, facilities, or visitors from viewing ePHI on screens or printers?” (45 CFR Parts 160, 162, 164)
• “Who supervises interns/temps, and what does supervision consist of?” (45 CFR Parts 160, 162, 164)
• “How do you confirm access is removed when someone leaves or changes roles?” (45 CFR Parts 160, 162, 164)
• “Do you review access rights periodically? Show evidence.” (45 CFR Parts 160, 162, 164)

Hangup: teams often show a policy but cannot produce a clean access approval trail across multiple systems.

Frequent implementation mistakes (and how to avoid them)

1. Treating provisioning as authorization. IT creating accounts is not proof of authorization. Require documented approvals before provisioning. (45 CFR Parts 160, 162, 164)

2. Ignoring “locations where ePHI might be accessed.” This language pulls physical environment and operational workflows into scope. Add escort rules, workstation behavior standards, and printer controls. (45 CFR Parts 160, 162, 164)

3. No defined supervision for non-standard workforce. Interns, temps, and contractors get “temporary” handling that becomes permanent. Require named supervisors and time-bounded access tied to start/end dates. (45 CFR Parts 160, 162, 164)

4. Shared accounts and badge sharing. These practices destroy accountability. Explicitly prohibit them and back it with technical controls where possible. (45 CFR Parts 160, 162, 164)

5. Access reviews that do not drive remediation. A checkbox attestation without follow-up fails in practice. Track removals and exceptions to closure. (45 CFR Parts 160, 162, 164)

Enforcement context and risk implications

No public enforcement case sources were provided in the supplied source catalog, so this page does not cite specific cases. Practically, the risk is straightforward: weak authorization and weak supervision increase the likelihood of inappropriate access, impermissible disclosure, and inability to reconstruct who accessed what. That creates both privacy exposure and operational disruption during investigations and audits. (45 CFR Parts 160, 162, 164)

A practical 30/60/90-day execution plan

First 30 days (stabilize and document)

• Inventory systems and workflows where ePHI is accessed or could be exposed in the workspace. (45 CFR Parts 160, 162, 164)
• Draft or tighten the authorization procedure and supervisor responsibilities for each workforce category. (45 CFR Parts 160, 162, 164)
• Implement a minimum access approval workflow for your highest-risk ePHI systems (capture approver identity and timestamp). (45 CFR Parts 160, 162, 164)

Days 31–60 (operationalize and collect evidence)

• Build the role-to-system authorization matrix and publish it to system owners and IT. (45 CFR Parts 160, 162, 164)
• Roll out location-based controls: escort rules, clean desk expectations, printer handling, workstation locking expectations. (45 CFR Parts 160, 162, 164)
• Start manager attestations for access correctness for priority teams and systems; track remediation actions. (45 CFR Parts 160, 162, 164)

Days 61–90 (scale and harden)

• Expand access reviews to additional ePHI systems and shared services teams. (45 CFR Parts 160, 162, 164)
• Add contractor/agency governance: named supervisors, end-date offboarding, verification that access is removed at end of engagement. (45 CFR Parts 160, 162, 164)
• Package audit-ready evidence: samples of approvals, review outputs, remediation tickets, and your current procedures in one place (Daydream can help centralize evidence and attestations). (45 CFR Parts 160, 162, 164)

Frequently Asked Questions

Does “authorization and/or supervision” mean we can choose supervision instead of access controls?

You still need intentional control over who can access ePHI and who can be in ePHI-accessible locations. Supervision may be part of the control design for certain roles (like trainees), but you must be able to show documented procedures that work in practice. (45 CFR Parts 160, 162, 164)

How do we handle staff who don’t “need” ePHI but work near it (facilities, security, IT)?

Treat this as location-based exposure. Define where ePHI might be accessed, then set escort/workstation/printer rules and identify who supervises non-authorized personnel while they are in those areas. (45 CFR Parts 160, 162, 164)

What evidence is most persuasive to auditors?

Time-stamped access approvals tied to a role and business need, plus proof of periodic access review with documented removals or corrections. Auditors also want written procedures that match how work actually happens. (45 CFR Parts 160, 162, 164)

Do contractors count as “workforce” for this requirement?

If they are part of your workforce under HIPAA’s concept of workforce (as implemented in your organization’s governance), you need authorization and/or supervision procedures for them in the same way you do for employees. Treat third-party staffing as a high-risk area because supervision often breaks down. (45 CFR Parts 160, 162, 164)

What should we do if a department insists on shared logins for operational speed?

Document that shared accounts are prohibited for ePHI systems, escalate exceptions through a formal risk acceptance path, and set a remediation plan to move to individual accounts. Shared logins undermine authorization, supervision, and accountability. (45 CFR Parts 160, 162, 164)

How do we operationalize supervision without constant “over-the-shoulder” monitoring?

Define supervision as a set of routine checks: approval of access, review of exception reports or audit logs when available, and periodic access attestations tied to the manager’s team. Document who performs each check and how findings are handled. (45 CFR Parts 160, 162, 164)