Skip to main content
Notifications
You're all caught up.
View all notifications
OnlyHIPAA
← All documentation

Access Control Reviews

HIPAA §164.308(a)(3)(ii)(B) expects you to periodically review who has access to ePHI and confirm it's still appropriate. An access control review captures one such review — who was looked at, and what you decided for each person.

Starting a review

Create a review with a title, an optional ePHI system it covers (or leave it general), a period label (e.g. "Q1 2026"), an optional due date, and notes. When you create it, every active team member is added as a row to review, each starting as pending.

Working through it

For each person, record their access level and a decision — keep, remove, or modify — with optional notes. Save as you go. You can also set a decision on several rows at once. The review moves Open → In Review → Completed; once you complete it, the rows lock so the record is a faithful snapshot of what you decided and when.

Due dates

If you set a due date and the review isn't complete by then, it's flagged overdue in the list. Reviews are created manually — the period label is for your own cadence (quarterly, annually); there's no automatic recurrence.

Who can do what

Org admins create reviews, record decisions, and complete or delete them. Everyone else can view completed reviews read-only.

OnlyHIPAA

Making HIPAA compliance accessible for every healthcare organization.

HIPAA SOC 2 NIST CSF

View our security posture →

Product

  • Frameworks
  • Sherpa AI
  • Risk Analysis
  • Compliance Operations
  • Reporting
  • Integrations & API
  • Pricing

Company

  • About Us
  • Team
  • Mission
  • Contact

Legal

  • Privacy Policy
  • Terms of Service
  • BAA Template
  • Security

Resources

  • Documentation
  • HIPAA Guide
  • Blog
  • Status Page

© 2026 OnlyHIPAA, Inc. All rights reserved.

OnlyHIPAA provides tools to assist with HIPAA compliance but does not constitute legal advice. Consult qualified legal counsel for specific compliance guidance.