TO:AAA Executive Directors NOTICE#: 041103-2-PC-MIS

MEMORANDUM

TO:AAA Executive Directors NOTICE#: 041103-2-PC-MIS

FROM:Susan M. Tucker

Deputy Secretary

DATE:April 11, 2003

SUBJECT:Notice of Policy Clarification: HIPAA Computer Access Issues

To assure our compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the State Technology Office (STO) security policies and procedures, the Division of Information Systems is sending this Notice of Instruction.

All HIPAA covered entities must be compliant with the Privacy Rules by April 15, 2003. In addition to providing you with the Department’s Privacy Policies and Procedures on our website (HIPAA Information), we are also providing you with the following Information Systems’ guidance. All of this information was shared with your LAN Administrator during a conference call on April 2, 2003, in addition to numerous individual phone conversations with DOEA MIS personnel.

The Department’s access policy affects all workforce members of DOEA, Area Agencies on Aging and all contractors, consultants, temporary employees and business partners. It applies to all computer and communications systems owned or operated by DOEA and applies to all platforms (operating systems) and all applications systems.

CIRTS Access

• Beginning Monday, April 14, 2003, access to the CIRTS database through R&R or Microsoft Access or other third party applications will be prohibited. Database access privilege will be granted by DOEA, or the AAA’s, on a limited basis, to ensure compliance with privacy, and that a “need –to-know” standard is established and followed.

• Each AAA will be granted access to Oracle database connections outside of DOEA’s proprietary system by exception only. These will be documented, and each user will sign an agreement to maintain the confidentiality of client’s Protected Health Information (PHI).

●Only the AAA director can authorize this access in the field. DOEA will

authorize access for DOEA employees.

Notice of Policy Clarification

April 11, 2003

Page 2

• The procedure for authorizing access is as follows:

• Each AAA Director will e-mail the Director of Information Systems, Maureen Olson , to request access to the database via an ODBC or other 3rd party connections.

• The LAN Administrator will then be granted access to system controls that will allow him/her to manage this access. The LAN Administrator will be responsible for managing this access to include tracking the required user demographic information in accordance with the Database Security Plan (dated April 14, 2003). This document will be e-mailed to each LAN Administrator on Monday, April 14, 2003.

• This activity will be subject to DOEA monitoring activities.

• Review of the access must be performed semi-annually to affirm continued need-to-know requirements. These users will be subject to the same conditions as CIRTS users. Access permission will be assigned specific roles that have delineated privileges.

• DOEA and the AAA’s reserve the right to revoke this privilege at any time.

• Each AAA LAN Administrator must track the following information:

-Name

-Position

-Place of Employment

-Supervisor

-Roles required to view access to tables

-Confidentiality signature authorizing access

• It is the full intention of the department that this be a temporary measure taken while web-based technologies are under development. This policy ensures that users granted this privilege understand that strict adherence to privacy policy will be enforced, and access denied if security and privacy policies are not followed.

• Once a quarter, DOEA will hold a team meeting with AAA’s to discuss changes or modifications to the CIRTS application, if any requests are received from users. Requests should be sent to the Division Director of Information Systems Services. Please contact Maureen Olson to identify your CIRTS modification team member(s). Your representative(s) will be notified via e-mail at least 2-weeks in advance of any conference call discussion.