Description
Applicability
-
This control applies to the University in its entirety, including all systems that process sensitive information.
Implementation
-
1
University units acting as health care components will clearly identify and document:
-
1.1
Information assets (devices, interfaces, applications, and datasets) that have ePHI.
-
1.2
The information asset access protection mechanisms in place. This includes both logical and physical access.
-
1.3
That unique user access and password management is in place on all logical information assets containing ePHI.
-
1.4
That physical access controls are in place for the information asset physical location.
-
1.5
That all ePHI access is be authorized by the information resource owner or their designee based upon the requestor role
-
1.6
At least annually, review all access information to reaffirm the access is still required. A separation of roles should be considered between the person(s) undertaking the access review and those whose access is being reviewed.
-
1.1