HIPAA Security Policy # 11: Access Control
East Carolina UniversityHIPAA Security Policies
Subject: Access Control / Coverage: ECU Health Care Components
Policy #: Security-0011 / Page: 1 of 2
Supersedes: / Approved:
Effective Date: April 21, 2005 / Revised: March 30, 2012, May 30, 2013
Review Date: May 30, 2013
HIPAA Security
Rule Language: / “Implement policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in the Information Access Management Standard.”
Regulatory Reference: / 45 CFR 164.312(a)(1)
I. PURPOSE
This policy reflects East Carolina University’s commitment to implement policies and procedures for information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights.
II. AUTHORIZATION AND ENFORCEMENT
Health Care component management and/or administrator(s) are responsible for monitoring and enforcing this policy, in consultation with the ECU IT Security Officer, ECU HIPAA Security Officer, and ECU HIPAA Privacy Officer.
III. POLICY
ECU Health Care Components must implement access control mechanisms for information systems that contain EPHI only to those persons and software programs that have been granted access rights.
IV. APPLICABILITY
This policy is applicable to all workforce members who are responsible for or otherwise administer a healthcare computing system. A healthcare computing system is defined as a device or group of devices that store EPHI which is shared across the network and accessed by healthcare workers.
V. PROCEDURE
The following standards and safeguards must be implemented to satisfy the requirements of this policy:
1. As defined in ECU’s Unique User Identification Standard, access to ECU Health Care Components information systems must be via user identifiers that uniquely identify workforce members and enable activities with each identifier to be traced to a specific person or entity.
2. As defined in ECU’s Emergency Access Procedure Standard, ECU Health Care Components must have a formal, documented emergency access procedure enabling authorized workforce members to obtain required EPHI during an emergency.
3. As defined in ECU’s Automatic Logoff Standard, ECU healthcare computing systems must automatically terminate electronic sessions when such sessions are not in use. If sessions cannot be terminated automatically, the workstations must be automatically locked after a period of inactivity.
4. As defined in ECU’s Encryption and Decryption Standard, where necessary, appropriate encryption must be used to protect the confidentiality, integrity and availability of EPHI contained on ECU Health Care Components information systems.
VI. COORDINATING INSTRUCTIONS
1. All section policies, standards and procedures will be reviewed annually. Every section policy, standard and procedure revision/replacement will be maintained for a minimum of six years from the date of its creation or when it was last in effect, whichever is later. Other East Carolina University, University of North Carolina system, or state of North Carolina requirements may stipulate a longer retention period.
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only. All other rights reserved Page 2 of 2