HIPAA Core Policy: Information Systems and Network Access

HIPAA Core Policy: Information Systems and Network Access

Abstract:
This policy establishes the minimum criteria for granting approved access to information systems.
Effective Date:
3/23/2016
Responsible Party:
Contacts:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

1. PURPOSE: To establish guidelines for the minimum criteria for granting approved access to information systems involving protected health information (PHI).

2. PHILOSOPHY:   Authorized individuals should be able to access information systems based on minimum necessary privileges.

3. APPLICABILITY:   This policy applies to all UAB/UABHS Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West, VIVA Health, Inc., the University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, and other UABHS managed entities that may be added from time to time, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions, UAB School of Nursing, School of Education Community Clinic, UAB Health Plans, and other covered entities that may be added from time to time. For purposes of this policy, UAB/UABHS Covered Entities shall be referred to as "UAB".

4. ASSOCIATED INFORMATION:

4.1. Definitions:

4.1.1. Appropriate Information Security Officer (ISO): The entity’s ISO who acts in conjunction with the HIPAA Security Office for UAB.

4.1.2. Authentication mechanism: Items including, but not limited to, passwords, tokens, biometrics, and smart cards used for confirming a user’s identity.

4.1.3. Business Associate: A person or entity (other than an employee of a UAB Covered Entity) who performs a function or activity involving the use or disclosure of protected health information, including, but not limited to, claims processing or administration, data analysis, processing or  administration, utilization review, quality assurance, billing, benefit  management, practice management, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, for or on behalf of a UAB Covered Entity. A Business Associate of one UAB Covered Entity does not become a Business Associate of any other UAB Covered Entity simply by virtue of the UAB Affiliation.

4.1.4. Direct Need-to-Know: Those persons or classes of persons, as appropriate who need access to specific protected health information to carry out their work-related duties.

4.1.5. Electronic Communication Network: This includes things such as the Internet, wireless, or wired network.

4.1.6. Electronic Protected Health Information (ePHI):  Protected health information in electronic form.

4.1.7. HIPAA: Health Insurance Portability and Accountability Act.

4.1.8. Minimum Necessary:  To make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.

4.1.9. Portable Computing Devices (PCDs): Include, but are not limited to, hand held devices (e.g. laptop computers, tablet PCs, notebook computers), Smart phones, portable workstations on wheels and carts, biomedical devices that collect patient information or provide life support and medical treatment, and pagers that store data. Portable computing devices are battery operated (though they may support direct connection to utility power), freestanding devices used for the purposes of data storage, retrieval, analysis, and exchange. Such devices may interact with other networked systems, the internet, desktop personal computers via some form of interconnection and/or synchronization process.

4.1.10. Portable Storage Devices (PSDs): Include, but are not limited to, external hard disk drives, DVDs, CDs, flash drives, USB drives, tapes, and other portable storage devices capable of acting as a transport agent for digital information.

4.1.11. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.1.12. Remote Access: Users outside of a covered entity’s network accessing data on the entity’s network.

4.1.13. Sensitive Information: Any information that may only be accessed by authorized personnel. It includes protected health information, financial information, personnel data, trade secrets and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled.

4.1.14. Strong Passwords: Current industry best practices identify this as a minimum of eight  alpha-numeric characters with at least one upper-case and one special character.

4.1.15. User: Any individual who accesses UAB electronic protected health information assets.

4.1.16. User Account: Information used by a user to gain access to UAB ePHI resources. This includes, but is not limited to, user IDs, passwords, personal identification numbers (PIN), tokens, certificates, biometrics, and smart cards.

4.1.17. User ID: An individual ID used to identify a unique individual when logging into a UABHS information resource such as a computer network, service, or application.

5. POLICY:

5.1. Requests for access to UAB's/UABHS’s ePHI shall be granted only to individuals with a direct need to know.

 

5.2. Approval will be based upon minimum necessary privileges and the direct need to know for a specific job function.

 

5.3. In situations where work is performed by any non-UAB employee on a system containing ePHI, it is the responsibility of the appropriate manager to seek pre-approval for access and to monitor the individual's activities on the system. Non-UAB employees must have an approved Business Associate Agreement (if there is a possibility of accessing PHI) prior to request for approval to access information resources of a covered entity.

 

5.4. Transmission of PHI or other sensitive information over an electronic communication network shall be encrypted.

 

5.5. Network personnel shall not open ports through any firewall without pre-approval from appropriate management or information security office. Approved requests shall be documented.

 

5.6. Use of portable devices to store ePHI must be pre-approved by the appropriate information security office and must be properly secured with proper physical and software controls in accord with the HIPAA Security Core Policy, "Use of Portable Devices."

 

5.7. All requests for phone lines shall be approved by the UAB Communications Department or HSF Telecommunications.

 

5.8. Any external access to a UAB network containing ePHI (i.e., dial-in modems) or internal access to outside networks (i.e., DSL lines) that bypasses the UAB and UABHS firewalls shall be approved by the appropriate information security office.

 

5.9. Access for non-UAB personnel must be uniquely identifiable and submitted in writing to the appropriate information security office prior to receiving access. The written request for access shall describe the reason and duration of the need (to include an anticipated termination date). This written request must describe the nature of access, reference the Business Associate Agreement (BAA) if needed, contain sufficient information to identify potential risk, and meet the minimum necessary requirement. If granted, the access must be documented, noting the date when granted.

 

5.10. Requests for access to ePHI sytems utilized for Institutional Review Board-approved research shall be reviewed against the above established criteria on a case by case basis.

 

5.11. All networks containing ePHI shall utilize measures to prevent unauthorized devices from connecting to the network.

 

5.12. User's responsiblities:

5.12.1. Shall follow the UAB and their department's system security procedures, i.e., security patches, anti-malware protection, anti-spam protection. Exceptions shall be approved by the appropriate information security office.

 

5.12.2. Shall not implement systems that function as a bridge between UAB/UABHS network containing ePHI/sensitive information and an external network, i.e., split tunneling.

 

5.12.3. Shall log off applications containing ePHI/sensitive information when not in use. Also shall lock the computer screen or log off windows when not in use.

 

5.12.4. Shall not share their access codes or passwords with other individuals.

 

5.12.5. Shall not perform unauthorized scanning on a UAB network. Scanning activities must be pre-approved by the appropriate information security office. Examples include but are not limited to Nmap scans, Nessus assessments, port scans, phone sweeps, probing tools, and other similar scanning activities.

 

5.12.6. Shall not attempt unauthorized or inappropriate access to any UAB system including those containing ePHI or other sensitive information.

 

5.12.7. Shall apply the same security policies and procedures as is required in the workplace when accessing UAB resources containing ePHI regardless of the location (i.e., applying necessary access lists, software or network firewalls, access controls, etc., when at home or other off-site location).

 

5.13. System Administrator responsibilities:

5.13.1. Shall report unapproved portable devices to the appropriate manager.

 

5.13.2. Shall implement and maintain the latest security patches on the systems under their management.

 

5.13.3. Shall implement and maintain anti-malware software on the systems under their management.

 

5.13.4. Shall apply automatic logoff/lockout features for inactive user sessions (i.e., 15 minutes logoff in high volume/traffic areas as per industry best practices or local policy).

 

5.13.5. Shall use separate, unique user accounts to ensure individual accountability.

 

5.13.6. Shall establish user accounts and accounts with higher privilege, i.e., system administrator, supervisor, root, superuser, in a manner that ensures individual accountability.

 

5.13.7. Shall not establish group user accounts.

 

5.13.8. Shall grant minimum necessary and direct need-to-know access rights as applicable to the person's documented job function. The appropriate i,formation security office shall approve additional access rights.

 

5.13.9. Shall establish emergency access procedures for the systems they manage.

 

5.13.10. Shall keep and monitor logs in order to detect and document attempts to compromise accounts, password brute force, and other types of abuse.

5.14. Manager responsibilities:

5.14.1. Shall ensure users follow policies for use of portable devices in accord with the HIPAA Security Core Policy, "Use of Portable Devices".

 

5.14.2. Shall routinely monitor to ensure users are aware of and in compliance with the security policies including those addressing portable devices and home workstations.

 

5.14.3. Shall establish procedures in written or electronic form to cpmply with this policy and if action, activity, or assessment is required by this policy to be documented, maintain a written or electronic record of the action, activity, or assessment.

 

5.14.4. Shall ensure Business Associates are aware of and in compliance with all of the HIPAA and HITECH security requirements.

5.15. Business Associates' responsiblities:

5.15.1. All Business Associates shall be required to sign an approved Business Associate Agreement.

 

5.15.2. Business Associates must comply with UAB policies and standards applicable to the nature of their work with UAB.

5.16. Remote access:

5.16.1. Requests for remote access must be reviewed and approved. Security control used to safeguard sensitive information will be evaluated. Remote access accounts should be periodically reviewed. Examples of minimum security controls include unique user ID, strong password, two-factor authentication, session timeout, and secure connection.

 

5.16.2. Remote users when accessing ePHI systems shall use a UAB-approved Virtual Private Network (VPN) solution.

5.17. Violations

5.17.1. Violations of these policies may result in disciplinary action, up to an including dismissal and civil and criminal penalties.

 

5.17.2. Business Associates must comply with UAB policies applicable to the nature of their work with UAB. Business Associates who do not follow applicable requirements could be subject to breach of contract penalties, possible legal prosecution, civil and criminal penalties, and other legal remedies/ramifications as are available to UAB.

 

5.18. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

5.18.1. your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security-coordinators).

5.18.2. the HSIS Help Desk at 934-8888.

5.18.3. the UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu.

5.18.4. UAB/UABHS HIPAA Security Office at InfoSec@uab.edu or 975-1440.

5.18.5. UAB IT Information Security Line at 975-0842.

6. REFERENCES: None

 

7. SCOPE: This policy applies to all UAB HIPAA covered entities and their systems that maintain ePHI and applicable Business Associates.


8. ATTACHMENTS: None


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.