HIPAA Security System Access

Layout for printing

Policy Number:

UW-132

Old Policy Number:

8.9

Responsible Office:

Office of Compliance

University Policy

Rationale/​Purpose:

In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.

Definitions:

Business associate

A person or entity not affiliated with UW–Madison that performs or assists in performing, for or on behalf of any unit in the UW–Madison health care component (UW HCC), business support functions/services that involve the use of protected health information (PHI).

Business data custodian

A university official having direct operational-level responsibility for the management of one or more types of data. They are charged with providing authorization for access to institutional data. 

Electronic protected health information (ePHI)

Any individually identifiable health information protected by HIPAA that is transmitted by or stored in electronic media.

Minimum necessary information

Protected health information that is the minimum necessary to accomplish the intended purpose of the access, acquisition, use, disclosure, or request. The “minimum necessary information” principle applies to all protected health information in any form. 

Protected health information (PHI)

Health information or health care payment information, including demographic information collected from an individual, which identifies the individual or can be used to identify the individual. Protected health information does not include student records held by educational institutions or employment records held by employers. 

Role

The category or class of person or persons doing a type of job that is defined by a set of similar or identical responsibilities.

User

A person or entity that has access to the organization’s information systems. This includes workforce members, business associates, external research collaborators, and other external persons or entities of all kinds. 

UW–Madison health care component (UW HCC)

Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of UW–Madison Health Care Component for a listing of these units.

Workforce

Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

Scope:

Applies to all members of the UW HCC.

Policy:

Policy Summary

It is the policy of UW–Madison that the units of the UW HCC and each unit within UW–Madison that is a business associate of a covered entity (hereafter collectively referred to as “units”) ensure the confidentiality, integrity, and availability of all protected health information by establishing the following documentation and procedural requirements.

1. Access to information systems and applications by all users, including but not limited to workforce members, volunteers, business associates, contracted providers, consultants, and any other person or entity, is only authorized as described in UW-109 The Minimum Necessary Standard.
2. The same levels of confidentiality that exist for hardcopy protected health information, business, and proprietary information apply to digital and/or electronic protected health information within the organization’s information systems and applications, and are extended even after termination or another conclusion of access.
3. Additional restrictions on system access are included in UW-133 HIPAA Security Remote Access and UW-136 HIPAA Security System Configuration and Use.

Policy Detail

1. Access Authorization

   1. Role-based access authorization categories must be based on the criteria described in UW-109 The Minimum Necessary Standard.
   2. The user is granted access based on these pre-determined roles. When there is not a suitable pre-defined role, the business data custodian may authorize access.
   3. Access authorization, revocation of authorization, or other authorization decisions must be documented. See sections VII (Documentation Requirements) and VIII (Forms).

2. Workforce Clearance Procedure

   1. The level of access assigned to a user of the organization’s information systems and applications is based on the criteria described in UW-109 The Minimum Necessary Standard.
   2. Any access not specifically authorized is prohibited. When possible, technical means will be used to prevent unauthorized access.

3. Access Establishment and Modification

   1. Access to any of the organization’s information systems and applications will not be granted until:
      1. Training, as described in UW-137 HIPAA Privacy and Security Training, is completed.
      2. A signed Confidentiality and Information Access Agreement is on file. Forms and signatures may be electronic. See sections VII (Documentation Requirements) and VIII (Forms).
   2. Whenever new or expanded access to specific resources is requested:
      1. Access will not be granted until a System Access Request form is received, reviewed, and any additional approval is obtained.
      2. When reviewing a request for new access, the requestor’s current access should also be reviewed and modified to conform with the criteria described in UW-109 The Minimum Necessary Standard.
   3. Each user’s access must be periodically reviewed and modified to conform with the criteria described in UW-109 The Minimum Necessary Standard.
   4. The person who authorizes access should be different from the person who grants access.

4. Unique User Identification and Person or Entity Authentication

   1. Multi-factor authentication should be used when available.
   2. Access to the organization’s information systems and applications is controlled by requiring unique user login IDs and passwords for each individual user or entity.
   3. Users may not allow anyone for any reason to have access to any information system or application using another user’s unique user login ID and password.
   4. If a user believes their user login ID has been compromised, they are required to immediately report the incident as described in UW-131 Reporting of HIPAA Incidents and Notifications in the Case of Breaches of Unsecured PHI.

5. Password Management

   1. When user login IDs and passwords are used to control access to the organization’s information systems and applications, the passwords must not be disclosed.
   2. Passwords are not displayed at any time, nor should they be stored in clear text in programming scripts.
   3. A user login ID and generic password are initially assigned for each user. The user login ID and password are forwarded to the user securely. Users are required to change the password upon first-time use.
   4. Minimum password requirements are described in the UW–Madison IT Password Standard. Units and information systems may require stronger passwords.
   5. Users are required to change passwords periodically.
   6. The information systems or applications are programmed to deny a user’s ability to use up to a pre-determined number of prior passwords whenever possible.

6. Change/Termination Procedures

   1. The Human Resources Department (or other designated department), and a workforce member’s supervisor must ensure that the Change/Termination Checklist is processed upon completion and/or termination of the workforce member’s employment or other workforce relationship, or upon a change in job assignment or employment status. See sections VII (Documentation Requirements) and VIII (Forms).
   2. Each person responsible for a portion of the off-boarding or change process must complete their portion of the Change/Termination Checklist.
   3. A workforce member’s access rights must be terminated immediately upon notification, or if the change is scheduled, on the effective date of the change.

7. Documentation Requirements

   1. The unit must document and maintain all of the following records for a period of at least six years, from the date of its creation or the date when it last was in effect, whichever is later:
      1. Records of authorization decisions. (See I. above)
      2. System Access Request Forms. (See III. above)
      3. Confidentiality and Information Access Agreement. (See III. above)
      4. Change/Termination Checklists. (See VI. above.)
      5. A description of the workforce members who are able to add, remove, or modify the access to some or all of the organization’s information systems.

8. Forms

   Forms and signatures may be paper or electronic.

   1. Confidentiality and Information Access Agreement (template)
   2. System Access Request (template)
   3. Change/Termination Checklist (template)

Consequences for Noncompliance

Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.

Further, the U.S.Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.

Related UW-Madison Policies:

UW-100 Designation of UW-Madison Health Care Component

UW-109 The Minimum Necessary Standard

UW-125 HIPAA Security Oversight

UW-126 HIPAA Security Auditing

UW-131 Notification and Reporting in the Case of Breach of Unsecured Protected Health Information

UW-135 HIPAA Security Facilities Management

UW-137 HIPAA Privacy and Security Training

UW-141 Designation of Privacy and Security Coordinators

Related UW–Madison Documents, Web Pages, or Other Resources:

Additional information may be found at www.compliance.wisc.edu/hipaa

External References:

45 C.F.R. §164.308(a)(1)(i) (HIPAA Security Rule – Security Management Process)

45 C.F.R. §164.308(a)(3)(ii)(A) (HIPAA Security Rule – Supervision)

45 C.F.R. §164.308(a)(3)(ii)(B) (HIPAA Security Rule – Workforce) Clearance Procedures

45 C.F.R. §164.308(a)(3)(ii)(C) (HIPAA Security Rule – Termination Procedures)

45 C.F.R. §164.308(a)(4)(ii)(B-C) (HIPAA Security Rule – Access Authorization)

45 C.F.R. §164.312(a)(2)(i) (HIPAA Security Rule – Unique User Identification)

45 C.F.R. § 164.312(d) (HIPAA Security Rule – Person or Entity Authentication)

45 C.F.R. §164.316(a-b) (HIPAA Security Rule – Documentation)

45 CFR Subpart D (HITECH Act) Resources

HIPAA Collaborative of Wisconsin “System Access” policy template

UW-Madison OneTrust

Policy Administration

Approval Authority:

Vice Chancellor for Legal Affairs

Policy Manager:

HIPAA Security Officer

Contact:

HIPAA Privacy Officer -- Jack Talaska, hipaa@wisc.edu, (608) 265-4077

Effective Date:

02-21-2018

Revised Dates:

02-21-2018: Effective date of the revised policy: 02-21-2018.
03-26-2020: Effective date of the revised policy: 03-26-2020.

Retrieved:

05-19-2022 14:15:57