ACCESS ESTABLISHMENT AND
MODIFICATION
POLICY # 13
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement policies and procedures that, based upon the covered entity's
access authorization policies, establish, document, review, and modify a
user's right of access to a workstation, transaction, program, or
process.”
Policy Summary:
Sindecuse Health Center (SHC) must have a formal, documented process
for establishing, documenting, reviewing, and modifying access to SHC
information systems containing EPHI. The process must be based on
SHC’s access authorization policy. Only properly authorized and trained
workforce members may access SHC information systems containing
EPHI. Authorizing SHC information system staff must regularly review
workforce member access rights to SHC information systems containing
EPHI to ensure that they are provided only to those having a need for
specific information in order to accomplish a legitimate task. All
revisions to SHC workforce member access rights must be tracked and
logged.
Purpose:
This policy reflects SHC’s commitment to have a formal, documented
process for establishing, documenting, reviewing, and modifying access
to SHC information systems containing EPHI.
Policy:
1. SHC must have a formal, documented process for establishing,
documenting, reviewing, and modifying access to SHC information
systems containing EPHI. The process must be based on SHC’s access
authorization policy. At a minimum, the process must include:



Procedure for establishing different levels of access to SHC
information systems containing EPHI.
Procedure for documenting levels of access established to SHC
information systems containing EPHI.
Procedure for regularly reviewing SHC workforce member
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ACCESS ESTABLISHMENT AND MODIFICATION

access privileges to SHC information systems containing EPHI.
Procedure for modifying SHC workforce member access
privileges to SHC information systems containing EPHI.
2. Only properly authorized and trained SHC workforce members may
access SHC information systems containing EPHI. Such access must be
established via a formal, documented process. At a minimum, this
process must include:





Identification and definition of permitted access methods
Identification and definition of length of time that access will be
granted
Procedure for both granting a workforce member an access
method (e.g. password or token) and changing an existing access
method
Procedure for managing access rights in a distributed and
networked environment
Appropriate tracking and logging of activities by authorized
workforce members on SHC information systems containing
EPHI
3. Where appropriate, security controls or methods that allow access to
be established to SHC information systems containing EPHI must
include, at a minimum:



Unique user identifiers (user IDs) that enable individual users to
be uniquely identified. User IDs must not give any indication of
the user’s privilege level. Common or shared identifiers must
not be used to gain access to information systems containing
EPHI. When unique user identifiers are insufficient or
inappropriate, shared identifiers may be used to gain access to
SHC information systems not containing EPHI.
The prompt removal or disabling of access methods for persons
and entities that no longer need access to SHC EPHI.
Verification that redundant user identifiers are not issued.
4. Access to SHC information systems containing EPHI must be limited
to SHC workforce members who have a need for specific EPHI in order
to perform their job responsibilities.
5. SHC workforce members must not provide access to SHC information
systems containing EPHI to unauthorized persons
6. Appropriate SHC information system staff must regularly review
workforce member access rights to SHC information systems containing
EPHI to ensure that they are provided only to those who have a need for
specific EPHI in order to accomplish a legitimate task. Such rights must
be revised as necessary.
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ACCESS ESTABLISHMENT AND MODIFICATION
7. All revisions to SHC workforce member access rights must be tracked
and logged. At a minimum, such tracking and logging must provide the
following information:



Date and time of revision
Identification of workforce member whose access is being
revised
Brief description of revised access right(s)
This information must be securely maintained.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Information Access
Management Standard
Regulatory
Reference:
45 CFR 164.308(a)(4)(ii)(B)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ACCESS ESTABLISHMENT AND MODIFICATION
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Information system owner means the SHC workforce member(s) with
overall or final responsibility for an information system.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Information Access Management
Access Authorization
Facility Access Controls
Access Control and Validation Procedures
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.