HIPAA §164.308(a)(3)(ii)(B) expects you to periodically review who has access to ePHI and confirm it's still appropriate. An access control review captures one such review — who was looked at, and what you decided for each person.
Create a review with a title, an optional ePHI system it covers (or leave it general), a period label (e.g. "Q1 2026"), an optional due date, and notes. When you create it, every active team member is added as a row to review, each starting as pending.
For each person, record their access level and a decision — keep, remove, or modify — with optional notes. Save as you go. You can also set a decision on several rows at once. The review moves Open → In Review → Completed; once you complete it, the rows lock so the record is a faithful snapshot of what you decided and when.
If you set a due date and the review isn't complete by then, it's flagged overdue in the list. Reviews are created manually — the period label is for your own cadence (quarterly, annually); there's no automatic recurrence.
Org admins create reviews, record decisions, and complete or delete them. Everyone else can view completed reviews read-only.