Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

POLICY # 41 ADMINISTRATIVE MANUAL APPROVED BY:

POLICY # 41
ACCESS CONTROL
ADMINISTRATIVE MANUAL
APPROVED BY:
SUPERCEDES POLICY:
DATE:
ADOPTED:
REVISED:
REVIEWED:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement policies and procedures for electronic information systems
that maintain EPHI to allow access only to those persons or software
programs that have been granted access rights as specified in the
Information Access Management Standard.”
Policy Summary:
Sindecuse Health Center (SHC) must purchase and implement
information systems that comply with SHC’s Information Access
Management policy. SHC information systems must support a formal
process for granting appropriate access to SHC information systems
containing EPHI. Access to SHC information systems containing EPHI
must be limited to SHC workforce members and software programs
having a need for specific information in order to accomplish a legitimate
task.
Purpose:
This policy reflects SHC’s commitment to purchase and implement
information systems that comply with SHC’s information access
management policies.
Policy:
1. SHC must purchase and implement information systems that comply
with its information access management policy.
2. All current SHC information systems that do not currently comply
with SHC’s information access management policy must be identified
and evaluated according to SHC’s risk analysis process.
3. As appropriate, SHC information systems must support one or more of
the following types of access control to protect the confidentiality,
integrity and availability of EPHI contained on SHC information
systems:



User based
Role based
Context based
4. SHC information systems must support a formal process for granting
appropriate access to SHC information systems containing EPHI. At a
Page 1 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ACCESS CONTROL
minimum, the process must include:



Procedure for granting different levels of access to [Hospital
Name] information systems containing EPHI.
Procedure for tracking and logging authorization of access to
[Hospital Name] information systems containing EPHI.
Procedure for regularly reviewing and revising, as necessary,
authorization of access to [Hospital Name] information systems
containing EPHI.
5. Neither SHC workforce members and software programs can be
granted access to information systems containing EPHI until properly
authorized.
6. As appropriate, security controls or methods that allow access to SHC
information systems containing EPHI must include, at a minimum:




Unique user identifiers (user IDs) that enable persons and
identities to be uniquely identified. User IDs must not give any
indication of the user’s privilege level. Group identifiers must
not be used to gain access to SHC information systems
containing EPHI. When unique user identifiers are insufficient or
inappropriate, group identifiers may be used to gain access to
SHC information systems not containing EPHI.
A secret identifier (password).
The prompt removal or disabling of access methods for persons
and entities that no longer need access to SHC EPHI.
Verification that redundant user identifiers are not issued.
7. Access to SHC information systems containing EPHI must be limited
to SHC workforce members and software programs that have a need to
access specific information in order to accomplish a legitimate task.
8. SHC workforce members must not provide access to SHC’s
information systems containing EPHI to unauthorized persons.
9. Appropriate SHC information system owners or their designated
delegates must regularly review workforce member and software
program access rights to SHC information systems containing EPHI to
ensure that access is granted only to those having a need for specific
information in order to accomplish a legitimate task. Such rights must be
revised as necessary.
10. All revisions to SHC workforce member and software program
access rights must be tracked and logged. At a minimum, such tracking
and logging must provide the following information:


Date and time of revision
Identification of workforce member or software program whose
Page 2 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ACCESS CONTROL


access is being revised
Brief description of revised access right(s)
Reason for revision
This information must be securely maintained.
11. As defined in SHC’s Unique User Identification policy, access to
SHC information systems must be via user identifiers that uniquely
identify workforce members and enable activities with each identifier to
be traced to a specific person or entity.
12. As defined in SHC’s Emergency Access Procedure policy, SHC
must have a formal, documented emergency access procedure enabling
authorized workforce members to obtain required EPHI during an
emergency.
13. As defined in SHC’s Automatic Logoff policy, SHC workforce
members must end electronic sessions between information systems that
contain or can access EPHI when such sessions are finished, unless they
can be secured by an appropriate locking method.
14. As defined in SHC’s Encryption and Decryption policy, where risk
analysis shows it is necessary, appropriate encryption must be used to
protect the confidentiality, integrity and availability of EPHI contained on
SHC information systems.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Technical Safeguards
Regulatory Type:
Standard
Regulatory
Reference:
45 CFR 164.312(a)(1)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Page 3 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ACCESS CONTROL
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
altered or destroyed in an unauthorized manner.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Unique User Identification
Emergency Access Procedure
Page 4 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
ACCESS CONTROL
Automatic Logoff
Encryption and Decryption
Information Access Management
Access Authorization
Access Establishment and Modification
Facility Access Controls
Access Control and Validation Procedures
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 5 of 5
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
PROHIBITION OF RETALIATION AGAINST EMPLOYEES, INDIVIDUALS OR OTHERS
POLICY # 24 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 24 ADMINISTRATIVE MANUAL APPROVED BY:
Cooperative Innovative High School Curriculum Template Associate in Science
Cooperative Innovative High School Curriculum Template Associate in Science
P5-ISAREV
P5-ISAREV
POLICY # 32 ADMINISTRATIVE MANUAL APPROVED BY:
POLICY # 32 ADMINISTRATIVE MANUAL APPROVED BY:
Cooperative Innovative High School Curriculum Template Associate in Arts
Cooperative Innovative High School Curriculum Template Associate in Arts
Download