HIPAA Core Policy: Information Systems Account Management

HIPAA Core Policy: Information Systems Account Management

Abstract:
This policy sets forth guidelines for establishing minimum criteria for user account management.
Effective Date:
8/22/2012
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Keyword(s):
None Assigned
Material Original Source:

1. PURPOSE: To set forth guidelines for establishing minimum criteria for user account management.

 

2. PHILOSOPHY: Data available through each UAB/UABHS Covered Entity’s information systems shall maintain confidentiality, integrity, availability, and accountability.

 

3. APPLICABILITY: This standard applies to all UAB/UABHS Covered Entities: University Hospital and all its facilities, The Kirklin Clinic, Callahan Eye Hospital, UAB Health Centers, Medical West, VIVA Health, Inc., University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions and UAB School of Nursing. For purposes of this standard, UAB/UABHS Covered Entities shall be referred to as "UAB", "UAB Covered Entities", or "UAB/UABHS/UAHSF".

 

4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Account Administrator: Individuals who are charged with adding, removing, and modifying access privileges granted to other personnel.

4.1.2. Authentication mechanism: Items such as, but not limited to, passwords, tokens, biometrics, and smart cards used for confirming a user’s identity.

4.1.3. Minimum Necessary: To make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.

4.1.4. Separation: The cessation of an individual’s authority to occupy any role and perform any responsibilities on behalf of UAB/UABHS. This may occur through the resignation of personnel, or the termination of personnel or contractual agreement.

4.1.5. Strong passwords: Passwords that are at least six to eight characters long, and recommended to include upper and lower case alphanumeric characters, and/or special characters, i.e. #, @, %, /, ?.

4.1.6. User account: Information used by a user to gain access to UAB/UABHS ePHI resources. This includes, but is not limited to, user ids, passwords, personal identification numbers (PIN), tokens, certificates, biometrics, and smart cards.

4.1.7. User ID: Synonymous with sign-on code.

4.2. Background Information: Access is determined by position, role, and/or responsibility. If an employee’s position, role, and/or responsibility change, system access shall be reevaluated as to its applicability. If the user believes that their account has been compromised, the user must contact their information systems help desk to report the occurrence and change their account information.


5. STANDARDS:

5.1. Mechanisms shall be put in place to uniquely identify the users accessing UAB/UABHS resources.

5.1.1. Approved generic system accounts may be used to access the UAB/UABHS Covered Entities’ networks. Such accounts shall only grant internet access and the ability to select given icons to launch the approved applications; however, user accounts accessing applications shall be unique.

5.1.2. Application and system user accounts for UAB/UABHS personnel shall uniquely identify the user. Application and system user accounts for vendor personnel may be generic only if the vendor has a mechanism to uniquely identify its personnel accessing UAB/UABHS resources.

5.1.3. System accounts used for communications between systems shall be unique and shall be held confidential by the system administrators. If a system administrator’s role changes and he is no longer responsible for administering a given system, the remaining administrators shall modify the authentication method for the system account.

5.2. A user’s account shall be deactivated immediately upon separation of his relationship with UAB/UABHS.

5.3. Users shall be given the minimal necessary access privileges to perform their duties. If a user’s position, role, and/or responsibility changes the user’s account privileges shall be reevaluated and modified (if necessary) by their manager to match the minimum necessary for the current position’s responsibilities.

5.4. All systems and applications are required to use at least a user identifier (typically a user id) and an authentication mechanism, i.e. password, token, biometrics, smart card.

5.5. Minimally each department or clinical area shall have a designated written authorization process for granting access to UAB/UABHS information resources. This process shall include a procedure for validating a user’s identity and notifying the user’s supervisor. Such a process shall include how the person granting access is identified. This person shall be a specifically identified individual who grants others access to resources.

5.5.1. All account requests shall at least include the last four digits of a user’s social security number or an equivalent, such as employee number or logon ID.

5.5.2. All users requesting an account shall be required to provide their name as it appears on their personnel records (if applicable), department, title, phone number, and their supervisor’s name and email address.

5.6. A process to document initial account requests shall be in place for each system.

5.7. Personnel shall notify the appropriate information systems help desk of any account violations.

5.8. Newly implemented systems and current systems with the capability shall comply with the following standards. Existing systems without the capability shall use their maximum available security features and work to comply with the following standards as systems are upgraded.

5.8.1. All systems shall enforce strong password selection.

5.8.2. All systems shall have audit trail capabilities that provide documented evidence of user access.

5.8.3. Passwords shall not be viewable to users or system administrators.

5.8.4. Passwords shall be stored encrypted on the system.

5.8.5. Default passwords and PINs shall be changed.

5.8.6. Guest accounts shall be disabled.

5.8.7. The system shall prompt a user to choose a new password upon initial access to the system or after his account has been reset.

5.9. Users’ Responsibilities:

5.9.1. Users shall protect account information and prevent use of their IDs, passwords, PINs, and tokens by others.

5.9.2. Users shall access information appropriately – with individually-assigned accounts and in compliance with UAB/UABHS standards and policies.

5.9.3. Users shall not re-use expired passwords for at least 4 password-expiration cycles.

5.9.4. Users shall choose a new password upon initial access to the system and each time the password is reset by the administrator – to the extent that password change capabilities are supported by the system.

5.9.5. Users shall choose strong passwords – to the extent that strong password capabilities are supported by the system.

5.9.6. Users have a responsibility to close or log off applications or lock the workstation immediately after use.

5.9.7. Users shall provide account administrators with their manager’s contact information (name, e-mail and phone number) when directly requesting access to information resources.

5.9.8. Vendors and contractors shall not directly request access to UAB/UABHS resources. Access requests shall be submitted by the vendor’s/contractor’s assigned UAB/UABHS management contact.

5.9.9. Users shall contact the appropriate system administrator for password resets and user account issues.

5.10. Account Administrators’ Responsibilities:

5.10.1. Account administrators shall notify the user’s manager when a direct request for access is submitted by the user.

5.10.2. Account administrators shall modify, disable, and remove user accounts upon notification from the appropriate manager.

5.10.3. Account administrators shall routinely analyze system logs to determine accounts that may have been compromised.

5.10.4. Account administrators shall not accept access requests from vendors or contractors. Access requests for vendors and contractors shall be submitted by UAB/UABHS management with oversight for the vendors’/contractors’ activities.

5.10.5. Account administrators shall ensure that systems are configured to comply with this standard.

5.11. Managers’ Responsibilities:

5.11.1. Managers shall ensure and justify appropriate access for those under their supervision – including employees, vendors, contractors, and other third parties.

5.11.2. Managers shall provide account administrators with a projected separation date or contract termination date when requesting user accounts for temporary employees, vendors, contractors, and other third parties.

5.11.3. Managers shall ensure that access rights are the minimum necessary and commensurate with current job responsibilities for all individuals under their supervision.

5.11.4. Managers shall review, approve, and submit requests for the user accounts of those individuals under their supervision.

5.11.5. Managers shall ensure that individuals under their supervision are trained to access and use UAB/UABHS information resources.

5.11.6. Managers shall enforce standards, policies, and procedures associated with the use of UAB/UABHS information resources.

5.11.7. Managers shall notify relevant account administrators upon an employee’s termination or transfer and upon a vendor’s, a contractor’s, or another third-party’s completion of service.

5.12. UAB/UABHS employees who do not follow the above standards may be subject to disciplinary action up to and including dismissal.

5.13. Vendors or contractors who do not follow the above standards may be subject to breach of contract penalties.

5.14. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this standard, contact one of the following:

5.14.1. your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/securitycontacts.htm)

5.14.2. the HSIS Help Desk at 934-8888

5.14.3. the UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu

5.14.4. UAB/UABHS HIPAA Security Office at 975-0072

5.14.5. UAB IT Data Security Office at 975-0842


6. REFERENCES: None


7. SCOPE: This standard applies to all UAB/UABHS entities covered under HIPAA and their systems that maintain PHI.


8. ATTACHMENTS: None


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/standards.htm.