Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

POLICY # 10 ADMINISTRATIVE MANUAL APPROVED BY:

TERMINATION PROCEDURES
POLICY # 10
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement procedures for terminating access to electronic protected
health information when the employment of a workforce member ends or
as required by determinations made as specified in paragraph
(a)(3)(ii)(B) of this section.”
Policy Summary:
When the employment of Sindecuse Health Center (SHC) workforce
members ends, their information systems privileges, both internal and
remote, must be disabled or removed by the time of departure. When
workforce members depart from SHC, they must return all SHC supplied
equipment by the time of departure. A workforce member who departs
from SHC must not retain, give away, or remove from SHC premises any
SHC information. Special attention must be paid to situations where a
workforce member has been terminated and poses a risk to information or
systems at SHC.
Purpose:
This policy reflects SHC’s commitment to create and implement a
formal, documented process for terminating access to electronic protected
health information (EPHI) when the employment of a workforce member
ends.
Policy:
1. SHC must create and implement a formal, documented process for
terminating access to electronic protected health information (EPHI)
when the employment of a workforce member ends.
2. When the employment of SHC workforce members ends, their
information systems privileges, both internal and remote, must be
disabled or removed by the time of departure. SHC information system
privileges include, but are not limited to, workstation and server access,
data access, network access, email accounts, and inclusion on bulk e-mail
lists. Consideration should also be given to physical access to areas where
EPHI is located.
Page 1 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
TERMINATION PROCEDURES
3. When workforce members provide advance notice of their intention to
leave SHC, the administrative department and/or the immediate
supervisor must give at least two days notice to the persons or
departments responsible for SHC information system privileges granted
the departing workforce member. Receipt and response to such notices
must be tracked and logged.
4. At a minimum, such tracking and logging must provide the following
information:




Date and time notice of employee departure received
Date of planned employee departure
Brief description of access to be terminated
Date, time, and description of actions taken
This information must be securely maintained.
5. All SHC workforce members must have their information system
privileges automatically disabled after their user ID or access method has
had 90 days of inactivity (example: when an external consultant ceases
supplying services to SHC without providing appropriate notification).
All such privileges that are disabled in this manner must be reviewed to
ensure that the inactivity is not due to termination of employment. If
termination is the reason for inactivity, there must be review of situation
to ensure that all access to EPHI (or ability to physical access
information) has been eliminated.
6. When workforce members depart from SHC, they must return all SHC
supplied equipment by the time of departure. Such equipment includes,
but is not limited to:






Portable computers
Personal digital assistants (PDAs)
Name tags or name identification badges
Building, desk or office keys
Access cards
Security tokens
7. The return of all such equipment must be tracked and logged. At a
minimum, such tracking and logging must provide the following
information:



Date and time
Work force member’s name
Brief description of returned items
This information must be securely maintained.
8. If a departing workforce member has used cryptography on SHC data,
Page 2 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
TERMINATION PROCEDURES
they must make the cryptographic keys available to appropriate
management.
9. As appropriate, all physical security access codes used to protect SHC
information systems that are known by a departing workforce member
must be deactivated or changed. For example, the PIN to a keypad lock
that restricts entry to a SHC facility containing information systems with
EPHI must be changed if a workforce member who knows the PIN
departs.
10. A workforce member who departs from SHC must not retain, give
away, or remove from SHC premises any SHC information (this does not
apply to copies of information provided to the public or copies of
correspondence directly related to the terms and conditions of
employment). All other SHC information in the possession of the
departing workforce member must be provided to the person's immediate
supervisor at the time of departure.
11. When SHC workforce members’ employment ends, their computers’
resident files must be promptly reviewed by their immediate supervisors
to determine the appropriate transfer or disposal of any confidential
information.
12. Special attention must be paid to situations where a departing
employee poses a risk to information or systems at SHC. If a workforce
member is to be terminated immediately, their information system
privileges must be removed or disabled just before they are notified of the
termination.
13. SHC must appoint an appropriate department, such as the
Information Security Office or Internal Audit unit, to monitor compliance
with this policy. Periodic review of SHC information system access
privileges will be performed to ensure that this policy is being adhered to
and that existing procedures are effective.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Workforce Security
Standard
Page 3 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
TERMINATION PROCEDURES
Regulatory
Reference:
45 CFR 164.308(a)(3)(ii)(C)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
A security token system means a system in which a small hardware device
along with a secret code (e.g. password or PIN) is used to authorize
access to an information system.
Cryptography means encrypting ordinary text into undecipherable text
then decrypting the text back into ordinary text.
Responsible
Department:
Administration
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Workforce Security
Authorization and/or Supervision
Page 4 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
TERMINATION PROCEDURES
Workforce Clearance Procedure
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 5 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Arts
Cooperative Innovative High School Curriculum Template Associate in Arts
ROMAN CATHOLICS IN MINEHEAD
ROMAN CATHOLICS IN MINEHEAD
53. policies and procedures for security
53. policies and procedures for security
P5-ISAREV
P5-ISAREV
Download