OCR has published a new edition of its Cybersecurity Newsletter which focuses on controlling access to ePHI. The Newsletter highlights the numerous security incidents affecting the healthcare industry and OCR’s investigations into hackers infiltrating information systems, workforce members impermissibly accessing patient’s information and ePHI being left on unsecured servers. OCR’s newsletter reminds healthcare organizations that Information Access Management and Access Control are two HIPAA Security Rule standards that govern access to ePHI. Information Access Management is an administrative safeguard for ePHI, and Access Control is a technical safeguard for ePHI. Although their roles in securing ePHI are distinct, together, they ensure that organizations implement policies and procedures and technical controls that limit access to ePHI to only authorized persons or software programs that have been granted access rights. The rise in data breaches due to hacking as well as threats to ePHI by malicious insiders highlight the importance of establishing and implementing appropriate policies and procedures regarding these Security Rule requirements. Ensuring that workforce members are only authorized to access the ePHI necessary and that technical controls are in place to restrict access to ePHI can help limit potential unauthorized access to ePHI for both threats.