The 5 A's of Security

Executive Summary

We came across some useful information from the CRC Press and TechTarget and have combined it into the summary below on the topic of privacy policies and security-related perspectives. Please refer to the original sources below for more detailed information.

The 5 A's of Security provide a structured understanding of privacy policies, and the best way to approach them from a security-related perspective. They are:

1. Authentication

  • Ensuring that individuals logging into a system are who they say they are.

2. Authorization

  • Determining that individuals are allowed to access the Health Information Exchange (HIE).

3. Access to data

  • Determining to which data individuals have access and what actions they are allowed to relative to that data.

4. Audit policies

  • Ensuring that you can consistently inspect what records have been accessed and by whom.

5. Accountability

  • Determining how you will hold those responsible for breaches liable.


Contact Organizations:

  • CRC Press
  • For the Health Information Technology for Economic and Clinical Health Act (HITECH Act): TechTarget


We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation.

The 5 A's

  1. Authentication
  2. Authorization
  3. Access to Data
  4. Audit Policies
  5. Accountability


Authentication is the process of proving that a user (or a system) that is requesting access is really who (or what) it claims to be. This is used to protect against the fraudulent use of a system or the fraudulent transmission of information. 

Authentication is a core element of protecting the privacy of a patient's information by assuring access only to those who have a right to see it. While authentication of users within an organization may be straightforward, in a HIE environment you need to ensure that those requesting access across multiple institutions, and even patients themselves, are who they claim to be. The remainder of the "5 A's" are based upon this critical component.


Authorization determines what rights each person has in the system once access is allowed. Authorization requires that the system can identify the user and relate the user's identification (ID) to the specific areas within the system that the person may be allowed to access. Authorization requires that the user must be aware of who the user is and be able to associate the user ID with specific permissions to access specific types of data.

Access to Data

Access to data is granted upon the user's authorization to access the data and the level of consent that is in place for the patient. Once the system has validated that the person is who he or she claims to be and that he or she is authorized to request data the system must then determine which data specifically that person is allowed to access. Access rights specifically define what data is allowed to be accessed and what operations they may perform on the accessed data. Allowed actions may include view only, create, delete, or some combination thereof.

Access is commonly implemented through a technical access control service (ACS) which includes embedded security management capabilities along with other access control and decision-making capabilities. The ACS is responsible for creating trust credentials that are used by the various organizational systems participating in the HIE to ensure that the proper level of authorization has been validated for any user accessing data in the system.

Many organizations use a process known as "role-based" access control that associates the person's identifier with various levels of access and permitted activities--roles. With this approach, each person (identifier) is assigned one or multiple roles. Each has specifically defined rights of access to and actions upon data in the system. 

Generally, role-based access is granted through multiple layers of specificity. A person is assigned a role which is related to their need to access data types, and that role has access rights relating to what actions may be performed on which data. Then, depending on additional criteria, the roles become more granular and specific to the types of data that may be accessed and the allowed actions on the data.

Correctly Identify the Patient

The goal of patient identification is the accurate identification of the patient and correct linking of all related information to that individual within and across systems.

Audit Policies

Patients must be allowed to know who has accessed their personal health information and for what purposes. The definition of "access" in this context is a subject to changing and evolving policies.

Creating an audit trail is a common method for tracking access to information. An audit trail enables the reconstruction of all activity within a system. For those organizations that currently use automated EHRs, this information has typically been accessed through the individual system audit logs. This provides a retrospective view of access but does not provide a mechanism for preventing inappropriate access. However, there are new tools on the market that use sophisticated algorithms for monitoring of logs and system activity in near real time to alert security officers of potential data breach situations.


Accountability refers to holding those responsible for security breaches, intentional or unintentional, liable for their actions. In the past, this was an often-overlooked area, and penalties were light or non-existent. Today, that is changing. The Health Information or Technology for Economic and Clinical Health (HITECH) Act strengthens the penalties, which now includes the possibility of fining organizations and individuals hundreds of thousands of dollars for breaches with the intent to do harm. Even unintentional breaches are subject to fines. Various American states have also added their own penalties for organizations and individuals. 

Questions to consider:

Developing authentication policies

  • How will you ensure that the individuals logging into the system are who they say they are?
  • How will you accommodate the multiple authentication processes in use at the various participants of your HIE?
  • What are your obligations as an HIPAA Business Associate to ensure appropriate authentication of all the users of your HIE?

Developing access policies

  • What are the applicable laws in your state relating to a patient's consent for participation in the HIE?
  • What policies do you need to implement to meet the stakeholder needs and concerns in your community?
  • What policies are needed to determine to which data a person has access and what specific actions they are allowed to take relative to those data?
  • How will you determine to which data a person has access and what actions they are allowed to take relative to those data?

Developing audit policies

  • What policies do you need to have in place to ensure that you can comply with a patient's request for an accounting of all accesses to his or her information?
  • What policies do you need to ensure that you can identify (and respond) to real or potential privacy breaches?
  • How will you ensure that you can consistently locate and inspect which records have been accessed and by whom?

Developing accountability policies

  • How will you hold those responsible for security breaches liable for their actions in accordance with HIPAA and HITECH requirements?
  • What are various levels and types of breaches for which you will hold our participants accountable?
  • What are your policies regarding patient notification of breaches?
  • What are the penalties for privacy breaches? Are these penalties based upon whether the breach was intentional?
  • Do the penalties take into account how much, if any, damage occurred?
  • How, and when, will patients be informed of privacy breaches of their personal health information?
  • How will you hold those responsible for security breaches liable for their actions in accordance with HIPAA and HITECH requirements?

Key Takeaways

When developing policies or evaluating existing policies for healthcare information privacy, the preceding breakdown provides a rigorous set of criteria that can ensure integrity in safeguarding patient information. Providers should be concerned about the need to keep their patients' information confidential, especially if they share those data through an HIE. It crucial to involve all stakeholders in a discussion surrounding policy development and how providers are responsible for information collection, security, distribution, and protection against breaches.