ACCESS CONTROL
Access ControlAdministrative Manual / POLICY # 41
APPROVED BY:
SUPERCEDES POLICY: / ADOPTED:
REVISED:
REVIEWED:
DATE: / REVIEW:
PAGE:
HIPAA Security Rule Language: / “Implement policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in the Information Access Management Standard.”
Policy Summary: / Sindecuse Health Center (SHC) must purchase and implement information systems that comply with SHC’s Information Access Management policy. SHC information systems must support a formal process for granting appropriate access to SHC information systems containing EPHI. Access to SHC information systems containing EPHI must be limited to SHC workforce members and software programs having a need for specific information in order to accomplish a legitimate task.
Purpose: / This policy reflects SHC’s commitment to purchase and implement information systems that comply with SHC’s information access management policies.
Policy: / 1. SHC must purchase and implement information systems that comply with its information access management policy.
2. All current SHC information systems that do not currently comply with SHC’s information access management policy must be identified and evaluated according to SHC’s risk analysis process.
3. As appropriate, SHC information systems must support one or more of the following types of access control to protect the confidentiality, integrity and availability of EPHI contained on SHC information systems:
- User based
- Role based
- Context based
- Procedure for granting different levels of access to [Hospital Name] information systems containing EPHI.
- Procedure for tracking and logging authorization of access to [Hospital Name] information systems containing EPHI.
- Procedure for regularly reviewing and revising, as necessary, authorization of access to [Hospital Name] information systems containing EPHI.
6. As appropriate, security controls or methods that allow access to SHC information systems containing EPHI must include, at a minimum:
- Unique user identifiers (user IDs) that enable persons and identities to be uniquely identified. User IDs must not give any indication of the user’s privilege level. Group identifiers must not be used to gain access to SHC information systems containing EPHI. When unique user identifiers are insufficient or inappropriate, group identifiers may be used to gain access to SHC information systems not containing EPHI.
- A secret identifier (password).
- The prompt removal or disabling of access methods for persons and entities that no longer need access to SHC EPHI.
- Verification that redundant user identifiers are not issued.
8. SHC workforce members must not provide access to SHC’s information systems containing EPHI to unauthorized persons.
9. Appropriate SHC information system owners or their designated delegates must regularly review workforce member and software program access rights to SHC information systems containing EPHI to ensure that access is granted only to those having a need for specific information in order to accomplish a legitimate task. Such rights must be revised as necessary.
10. All revisions to SHC workforce member and software program access rights must be tracked and logged. At a minimum, such tracking and logging must provide the following information:
- Date and time of revision
- Identification of workforce member or software program whose access is being revised
- Brief description of revised access right(s)
- Reason for revision
11. As defined in SHC’s Unique User Identification policy, access to SHC information systems must be via user identifiers that uniquely identify workforce members and enable activities with each identifier to be traced to a specific person or entity.
12. As defined in SHC’s Emergency Access Procedure policy, SHC must have a formal, documented emergency access procedure enabling authorized workforce members to obtain required EPHI during an emergency.
13. As defined in SHC’s Automatic Logoff policy, SHC workforce members must end electronic sessions between information systems that contain or can access EPHI when such sessions are finished, unless they can be secured by an appropriate locking method.
14. As defined in SHC’s Encryption and Decryption policy, where risk analysis shows it is necessary, appropriate encryption must be used to protect the confidentiality, integrity and availability of EPHI contained on SHC information systems.
Scope/Applicability: / This policy is applicable to all departments that use or disclose electronic protected health information for any purposes.
This policy’s scope includes all electronic protected health information, as described in Definitions below.
Regulatory Category: / Technical Safeguards
Regulatory Type: / Standard
Regulatory Reference: / 45 CFR 164.312(a)(1)
Definitions: / Electronic protected healthinformation means individually identifiable health information that is:
- Transmitted by electronic media
- Maintained in electronic media
(1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.
Information system means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. This includes full and part time employees, affiliates, associates, students, volunteers, and staff from third party entities who provide service to the covered entity.
Availability means the property that data or information is accessible and useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.
Responsible Department: / Information Systems
Policy Authority/ Enforcement: / SHC’s Security Official is responsible for monitoring and enforcement of this policy, in accordance with Procedure # (TBD).
Related Policies: / Unique User Identification
Emergency Access Procedure
Automatic Logoff
Encryption and Decryption
Information Access Management
Access Authorization
Access Establishment and Modification
Facility Access Controls
Access Control and Validation Procedures
Renewal/Review: / This policy is to be reviewed annually to determine if the policy complies with current HIPAA Security regulations. In the event that significant related regulatory changes occur, the policy will be reviewed and updated as needed.
Procedures: / TBD
Page 1 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.