Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

POLICY # 32 ADMINISTRATIVE MANUAL APPROVED BY:

ACCESS CONTROL AND VALIDATION
PROCEDURES
POLICY # 32
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement procedures to control and validate a person's access to
areas based on their role or function, including visitor control, and
control of access to software programs for testing and revision.”
Policy Summary:
Sindecuse Health Center (SHC) must control and validate physical access
to its areas that have information systems containing EPHI or software
programs that can access EPHI. All physical access rights to such areas
must be clearly defined and documented, with access provided only to
SHC workforce members who have a need for specific access of the
EPHI in order to accomplish a legitimate task. Additionally, such access
rights must define specific roles or functions and the physical access
rights associated with each. All physical access to SHC areas that have
information systems containing EPHI or software programs that can
access EPHI must be tracked and logged. SHC workforce members must
wear an identification badge when at such SHC areas and visitors must
show proper identification and sign in prior to gaining access.
Purpose:
This policy reflects SHC’s commitment to control and validate physical
access to areas containing information systems having EPHI or software
programs that can access EPHI.
Policy:
1. SHC will determine and document all areas considered sensitive due
to the nature of the EPHI that is stored or available within them, for
example Medical Records (HIM) or Information Systems departments.
2. After documenting sensitive areas, access rights to such areas should
be given only to workforce members who have a need for specific
physical access in order to accomplish a legitimate task.
3. Roles or functions of SHC workforce members and others (e.g. the
public) who may be granted physical access rights to sensitive areas must
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ACCESS CONTROL AND VALIDATION PROCEDURES
be defined and documented.
4. All access rights to SHC areas containing information systems having
EPHI or software programs that can access EPHI must be regularly
reviewed and revised as necessary.
5. All physical access to sensitive areas must be tracked and logged. At
a minimum, such tracking and logging must provide:


Date and time of access
Name or user ID of person gaining access
This information must be stored in a secure manner and be regularly
reviewed.
6. SHC workforce members must not attempt to gain physical access to
SHC sensitive areas containing information systems having EPHI or
software programs that can access EPHI for which they have not been
given proper authorization.
7. SHC workforce members must immediately report to appropriate
management the loss or theft of any device (e.g. card or token) that
enables them to gain physical access to such sensitive areas.
8. SHC workforce members must wear an identification badge when at
SHC and should be encouraged to report unknown persons not wearing
such identification.
9. All visitors to sensitive areas must show proper identification and state
reason for need to access.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Physical Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Facility Access
Controls Standard
Regulatory
45 CFR 164.310(a)(2)(iii)
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ACCESS CONTROL AND VALIDATION PROCEDURES
Reference:
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Facility means the physical premises and the interior and exterior of a
building(s).
Responsible
Department:
Building Coordinator; Information Systems; Supervisors
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ACCESS CONTROL AND VALIDATION PROCEDURES
Related Policies:
Facility Access Controls
Contingency Operations
Facility Security Plan
Maintenance Records
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
POLICY # 44 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 44 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 24 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 24 ADMINISTRATIVE MANUAL APPROVED BY:
P37-DISPSL
P37-DISPSL
POLICY # 43 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 43 ADMINISTRATIVE MANUAL APPROVED BY:
P5-ISAREV
P5-ISAREV
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
POLICY # 30 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 30 ADMINISTRATIVE MANUAL APPROVED BY:
53. policies and procedures for security
53. policies and procedures for security
POLICY # 31 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 31 ADMINISTRATIVE MANUAL APPROVED BY:
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Science
POLICY # 36 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 36 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 48 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 48 ADMINISTRATIVE MANUAL APPROVED BY:
Download