Who can access PHI, how access is granted and reviewed, and the authentication requirements for staff and patient accounts.
Currently in effect: v2.1
Effective 2026-05-13 — MFA now required (not optional) for every staff account.
Current policy (v2.1)
Workforce members are granted the minimum access required for their role under a least-privilege model. Access is reviewed at onboarding, role change, and at least annually. Access is revoked the same business day a workforce member departs or changes roles.
All staff accounts require strong passwords and multi-factor authentication. Patient accounts support strong passwords, optional MFA, and session timeouts. Clinical, billing, and administrative functions are separated by role.
Change history
Each revision is preserved for transparency. Older versions describe the practices in place at the time they were effective.
- v2.1Current
MFA now required (not optional) for every staff account.
- Made MFA mandatory for 100% of staff accounts (previously 'strongly recommended').
- Added same-business-day access revocation on staff offboarding.
- Documented annual access review cadence.
- v2.0
Introduced role-based separation between clinical and billing staff.
- Split clinical and billing roles so neither can access the other's tools by default.
- Required vendors with PHI access to operate under a signed BAA.
- v1.0
Initial published policy.
← Back to Security overview · Questions about this policy? Contact privacy@rootedhealthmember.com or use our security contact page.