top of page

Thought Leaders: Responsibility for Identity & Access Management

Richard Ward was featured in the July 2020 edition of Care Analytics News. The question asked was:

“Who typically has responsibility for Identity and Access Management within health plans, and how does this role impact or protect their healthcare analytics objectives? ”

Health Plans are required by HIPAA regulations and contractually committed in many network agreements to designate an executive to serve as the “privacy officer” to take responsibility for assuring the security and confidentiality of protected health information. However, there are no regulatory limits on which executives can take on that responsibility. In practice, the IT department almost always takes responsibility for the technical aspects of data security and application access management, including network security, encryption of data in motion and at rest, and overseeing the directory technology used to manage user accounts and associated data and application privileges.

However, there is significant variation among health plans in the assignment of the “privacy officer” role and, more broadly, in assigning responsibility for the organization’s strategies, philosophy, policies and procedures regarding identity and access management. Sometimes, such non-technical responsibilities are assigned to the CIO, sometimes to business operations executives, and sometimes to legal and risk management professionals.

In our experience, any of these positions can be successful depending on the individuals and the organizational culture. However, when the responsibility is assigned to legal or technology professionals, our observation is that there can be a tendency for data policies to prioritize risk avoidance, which can reduce the ability of the organization to pursue healthcare analytics and cross-network data sharing with agility and nuance.

Recognizing this tendency, the trend is for health plans to assign such responsibilities to executives responsible for business functions, with the caveat that the responsibility is carried out with a necessary degree of prudence.

Download PDF • 188KB


bottom of page