An IAM system has the following advantages; which statement is correct?

• A. Provides HIPAA-required encryption for PHI
• B. Satisfies CFR Title 21 Part 11
• C. Meets HIPAA Security Rule requirements regarding access to PHI
• D. Meets HIPAA Privacy Rule requirements regarding identification

Answer: (C)

Identity and access management focuses on ensuring that the right people can access the right information for the right reasons. The HIPAA Security Rule requires technical safeguards that control access to electronic PHI, including authentication, authorization, and the ability to audit who accessed what data. An IAM system directly supports these requirements by enforcing unique user identities, applying appropriate access based on role, and logging access events for audits. Encryption of PHI is a valuable safeguard but not universally mandatory by HIPAA—it's one option within risk management, not a blanket requirement like access controls. The Privacy Rule governs how PHI may be used and disclosed and patient rights, not the internal mechanism for access control. CFR Title 21 Part 11 relates to electronic records and signatures in FDA-regulated contexts, not HIPAA access controls. Therefore, the most accurate statement is that an IAM system meets HIPAA Security Rule requirements regarding access to PHI.