Description

The purpose is to ensure units have Electronic Protected Health Information (ePHI) procedures that only authorize access based on the job role of the requestor and the access is reviewed at minimum annually. This Control is related to HIPAA Safeguard: 45.CFR.164.308 (a)(4) Information Access Management.

Applicability

  • This control applies to the University in its entirety, including all systems that process sensitive information.

Implementation

  • 1

    University units acting as health care components will clearly identify and document:

    • 1.1

      Information assets (devices, interfaces, applications, and datasets) that have ePHI.

    • 1.2

      The information asset access protection mechanisms in place. This includes both logical and physical access.

    • 1.3

      That unique user access and password management is in place on all logical information assets containing ePHI.

    • 1.4

      That physical access controls are in place for the information asset physical location.

    • 1.5

      That all ePHI access is be authorized by the information resource owner or their designee based upon the requestor role

    • 1.6

      At least annually, review all access information to reaffirm the access is still required. A separation of roles should be considered between the person(s) undertaking the access review and those whose access is being reviewed.