Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

POLICY # 8 ADMINISTRATIVE MANUAL APPROVED BY:

AUTHORIZATION AND/OR SUPERVISION
POLICY # 8
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement procedures for the authorization and/or supervision of
workforce members who work with EPHI or in locations where it might
be accessed.”
Policy Summary:
Sindecuse Health Center (SHC) must ensure that all workforce
members who can access SHC information systems containing EPHI
are appropriately authorized or supervised. SHC must have a formal
documented process for granting authorization to access to SHC
information systems containing EPHI. The type and extent of access
granted to SHC information systems containing EPHI must be based on
risk analysis. Appropriate SHC information system owners or their
chosen delegates must define and authorize all access to SHC information
systems containing EPHI. Access to SHC information systems
containing EPHI must be authorized only for SHC workforce members
having a need for specific information in order to accomplish their
respective job responsibilities.
Before third-party persons are granted access to SHC information
systems containing EPHI or SHC locations where EPHI can be accessed,
a risk analysis must be performed. Access by third-party persons to SHC
information systems containing EPHI or SHC locations where EPHI can
be accessed must be allowed only after appropriate security controls have
been implemented and an agreement has been signed defining the terms
for access. Where appropriate, third-party persons should be supervised
by an appropriate SHC employee.
Purpose:
This policy reflects SHC’s commitment to ensure that all workforce
members who can access SHC information systems containing EPHI
are appropriately authorized or supervised.
Policy:
1. SHC must ensure that all workforce members who can access SHC
information systems containing EPHI are appropriately authorized to
Page 1 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
AUTHORIZATION AND/OR SUPERVISION
access the system or supervised when they do so.
2. SHC must have a formal documented process for authorizing
appropriate access to SHC information systems containing EPHI. At a
minimum, the process must include:



Procedure for granting different levels of access to SHC
information systems containing EPHI.
Procedure for tracking and logging authorization of access to
SHC information systems containing EPHI.
Procedure for regularly reviewing and revising, as necessary,
authorization of access to SHC information systems containing
EPHI.
3. SHC workforce members must not be allowed access to information
systems containing EPHI until properly authorized.
4. The type and extent of access granted to SHC information systems
containing EPHI must be based on risk analysis. At a minimum, the risk
analysis must consider the following factors:



The importance of the applications running on the information
system
The value or sensitivity of the EPHI on the information system
The extent to which the information system is connected to other
information systems
5. Appropriate SHC information system stewards/owners or their chosen
delegates must define and authorize all access to SHC information
systems containing EPHI. Such information system owners and
delegates must be formally designated and documented.
6. Access to SHC information systems containing EPHI must be granted
only for SHC workforce members who have a need for specific EPHI in
order to accomplish a legitimate task. All such access must be defined
and documented. Such access must also be regularly reviewed and
revised as necessary.
7. SHC workforce members must not attempt to gain access to SHC
information systems containing EPHI for which they have not been given
proper authorization.
8. SHC must ensure that the confidentiality, integrity, and availability of
EPHI on SHC information systems is maintained when its information
systems are accessed by third parties
9. Before third party persons are granted access to SHC information
systems containing EPHI or SHC locations where EPHI can be accessed,
a risk analysis must be performed. At a minimum, the risk analysis must
Page 2 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
AUTHORIZATION AND/OR SUPERVISION
consider the following factors:




Type of access required
Sensitivity of the EPHI on the information system
Security controls on the information system
Security controls used by the third party
10. Access by third party persons to SHC information systems
containing EPHI or SHC locations where EPHI can be accessed must be
allowed only after appropriate security controls have been implemented
and an agreement has been signed defining the terms for access. The
agreement must define the following:



The security processes and controls necessary to ensure
compliance with SHC’s security policies.
Restrictions regarding the use and disclosure of SHC data.
SHC’s right to monitor and revoke third party persons’ access
and activity.
11. Where appropriate, third party persons should be supervised by an
appropriate SHC employee when they are accessing SHC information
systems containing EPHI or in a SHC location where EPHI might be
accessed.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Workforce Security
Standard
Regulatory
Reference:
45 CFR 164.308(a)(3)(ii)(A)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Page 3 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
AUTHORIZATION AND/OR SUPERVISION
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
altered or destroyed in an unauthorized manner.
Information system owner means the SHC workforce member(s) with
overall or final responsibility for an information system.
Responsible
Department:
Information Systems
Administrative Office
Policy Authority/
SHC’s Security Official is responsible for monitoring and enforcement of
Page 4 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
AUTHORIZATION AND/OR SUPERVISION
Enforcement:
this policy, in accordance with Procedure #(TBD).
Related Policies:
Workforce Security
Workforce Clearance Procedure
Termination Procedures
Access Authorization
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 5 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
P37-DISPSL
P37-DISPSL
P5-ISAREV
P5-ISAREV
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Arts
Cooperative Innovative High School Curriculum Template Associate in Arts
53. policies and procedures for security
53. policies and procedures for security
ROMAN CATHOLICS IN MINEHEAD
ROMAN CATHOLICS IN MINEHEAD
Download