AUTHORIZATION AND/OR SUPERVISION POLICY # 8 ADMINISTRATIVE MANUAL APPROVED BY: ADOPTED: SUPERCEDES POLICY: REVISED: REVIEWED: DATE: REVIEW: PAGE: HIPAA Security Rule Language: “Implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed.” Policy Summary: Sindecuse Health Center (SHC) must ensure that all workforce members who can access SHC information systems containing EPHI are appropriately authorized or supervised. SHC must have a formal documented process for granting authorization to access to SHC information systems containing EPHI. The type and extent of access granted to SHC information systems containing EPHI must be based on risk analysis. Appropriate SHC information system owners or their chosen delegates must define and authorize all access to SHC information systems containing EPHI. Access to SHC information systems containing EPHI must be authorized only for SHC workforce members having a need for specific information in order to accomplish their respective job responsibilities. Before third-party persons are granted access to SHC information systems containing EPHI or SHC locations where EPHI can be accessed, a risk analysis must be performed. Access by third-party persons to SHC information systems containing EPHI or SHC locations where EPHI can be accessed must be allowed only after appropriate security controls have been implemented and an agreement has been signed defining the terms for access. Where appropriate, third-party persons should be supervised by an appropriate SHC employee. Purpose: This policy reflects SHC’s commitment to ensure that all workforce members who can access SHC information systems containing EPHI are appropriately authorized or supervised. Policy: 1. SHC must ensure that all workforce members who can access SHC information systems containing EPHI are appropriately authorized to Page 1 of 5 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved. AUTHORIZATION AND/OR SUPERVISION access the system or supervised when they do so. 2. SHC must have a formal documented process for authorizing appropriate access to SHC information systems containing EPHI. At a minimum, the process must include: Procedure for granting different levels of access to SHC information systems containing EPHI. Procedure for tracking and logging authorization of access to SHC information systems containing EPHI. Procedure for regularly reviewing and revising, as necessary, authorization of access to SHC information systems containing EPHI. 3. SHC workforce members must not be allowed access to information systems containing EPHI until properly authorized. 4. The type and extent of access granted to SHC information systems containing EPHI must be based on risk analysis. At a minimum, the risk analysis must consider the following factors: The importance of the applications running on the information system The value or sensitivity of the EPHI on the information system The extent to which the information system is connected to other information systems 5. Appropriate SHC information system stewards/owners or their chosen delegates must define and authorize all access to SHC information systems containing EPHI. Such information system owners and delegates must be formally designated and documented. 6. Access to SHC information systems containing EPHI must be granted only for SHC workforce members who have a need for specific EPHI in order to accomplish a legitimate task. All such access must be defined and documented. Such access must also be regularly reviewed and revised as necessary. 7. SHC workforce members must not attempt to gain access to SHC information systems containing EPHI for which they have not been given proper authorization. 8. SHC must ensure that the confidentiality, integrity, and availability of EPHI on SHC information systems is maintained when its information systems are accessed by third parties 9. Before third party persons are granted access to SHC information systems containing EPHI or SHC locations where EPHI can be accessed, a risk analysis must be performed. At a minimum, the risk analysis must Page 2 of 5 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved. AUTHORIZATION AND/OR SUPERVISION consider the following factors: Type of access required Sensitivity of the EPHI on the information system Security controls on the information system Security controls used by the third party 10. Access by third party persons to SHC information systems containing EPHI or SHC locations where EPHI can be accessed must be allowed only after appropriate security controls have been implemented and an agreement has been signed defining the terms for access. The agreement must define the following: The security processes and controls necessary to ensure compliance with SHC’s security policies. Restrictions regarding the use and disclosure of SHC data. SHC’s right to monitor and revoke third party persons’ access and activity. 11. Where appropriate, third party persons should be supervised by an appropriate SHC employee when they are accessing SHC information systems containing EPHI or in a SHC location where EPHI might be accessed. Scope/Applicability: This policy is applicable to all departments that use or disclose electronic protected health information for any purposes. This policy’s scope includes all electronic protected health information, as described in Definitions below. Regulatory Category: Administrative Safeguards Regulatory Type: ADDRESSABLE Implementation Specification for Workforce Security Standard Regulatory Reference: 45 CFR 164.308(a)(3)(ii)(A) Definitions: Electronic protected health information means individually identifiable health information that is: Transmitted by electronic media Maintained in electronic media Page 3 of 5 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved. AUTHORIZATION AND/OR SUPERVISION Electronic media means: (1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or (2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission. Information system means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. Workforce member means employees, volunteers, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. This includes full and part time employees, affiliates, associates, students, volunteers, and staff from third party entities who provide service to the covered entity. Availability means the property that data or information is accessible and useable upon demand by an authorized person. Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes. Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner. Information system owner means the SHC workforce member(s) with overall or final responsibility for an information system. Responsible Department: Information Systems Administrative Office Policy Authority/ SHC’s Security Official is responsible for monitoring and enforcement of Page 4 of 5 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved. AUTHORIZATION AND/OR SUPERVISION Enforcement: this policy, in accordance with Procedure #(TBD). Related Policies: Workforce Security Workforce Clearance Procedure Termination Procedures Access Authorization Renewal/Review: This policy is to be reviewed annually to determine if the policy complies with current HIPAA Security regulations. In the event that significant related regulatory changes occur, the policy will be reviewed and updated as needed. Procedures: TBD Page 5 of 5 Copyright 2003 Phoenix Health Systems, Inc. Limited rights granted to licensee for internal use only. All other rights reserved.