UNIQUE USER IDENTIFICATION
ADMINISTRATIVE MANUAL
APPROVED BY:
SUPERCEDES POLICY:
DATE:
POLICY # 42
ADOPTED:
REVISED:
REVIEWED:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Assign a unique name and/or number for identifying and tracking user
identity.”
Policy Summary:
Access to Sindecuse Health Center (SHC) information systems must be
via user identifiers that uniquely identify workforce members and enable
activities of each identifier to be traced to a specific person or entity.
When unique user identifiers are insufficient or inappropriate, group
identifiers may be used to gain access to SHC information systems not
containing EPHI.
Purpose:
This policy reflects SHC’s commitment to assign a unique name or
number to identify and track the identity of workforce members who
access SHC information systems.
Policy:
1. SHC information systems must grant users access via unique
identifiers that:
 identify workforce members or users, and
 allow activities performed on information systems to be traced
back to a particular individual through tracking of unique
identifiers.
2. Unique identifiers must not give any indication of the user’s privilege
level.
3. Unique identifiers can include but are not limited to:
 Biometric identification
 Workforce member names
 Exclusive numbers (e.g. PIN)
4. Group user identifiers must not be used to gain access to [Hospital
Name] information systems that contain EPHI. When unique user
identifiers are insufficient or inappropriate, group identifiers may be used
only to gain access to SHC information systems that do not contain
EPHI.
5. Standard user naming practices (e.g. first initial, last name) must not
Page 1 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
UNIQUE USER IDENTIFICATION
be used for SHC workforce members who require access to highly
sensitive SHC information systems (e.g. firewalls, core routers). Such
practices can enable an attacker to target certain user names. Instead, a
SHC information security office approved user naming practice must be
used to create user names for such users.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Technical Safeguards
Regulatory Type:
REQUIRED Implementation Specification for Access Control Standard
Regulatory
Reference:
45 CFR 164.312(a)(2)(i)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
Page 2 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
UNIQUE USER IDENTIFICATION
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Responsible
Department:
Information Systems
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure #(TBD).
Related Policies:
Access Control
Emergency Access Procedure
Automatic Logoff
Encryption and Decryption
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 3 of 3
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.