HIPAA Core Policy: Information Systems and Network Access

HIPAA Core Policy: Information Systems and Network Access

This policy establishes guidelines for the minimum criteria for granting approved access to information systems.
Effective Date:
Responsible Party:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

1. PURPOSE: To establish guidelines for the minimum criteria for granting approved access to information systems.

2. PHILOSOPHY:   It is our belief that authorized individuals should be able to access information systems based on minimum necessary privileges.

3. APPLICABILITY:   This standard applies to all UAB/UABHS Covered Entities: University Hospital and all its facilities, The Kirklin Clinic, Callahan Eye Hospital, UAB Health Centers, Medical West, VIVA Health, Inc., University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions and UAB School of Nursing. For purposes of this standard, UAB/UABHS Covered Entities shall be referred to as "UAB", "UAB Covered Entities", or UAB/UABHS/UAHSF".


4.1. Definitions:

4.1.1. Appropriate Information Security Officer (ISO): The entity’s ISO who acts in conjunction with the HIPAA Security Office for UAB/UABHS.

4.1.2. Authentication mechanism: Items including, but not limited to, passwords, tokens, biometrics, and smart cards used for confirming a user’s identity.

4.1.3. Business Associate: A person or entity (other than an employee of a UAB/UABHS Covered Entity) who performs a function or activity involving the use or disclosure of protected health information, including, but not limited to, claims processing or administration, data analysis, processing or  administration, utilization review, quality assurance, billing, benefit  management, practice management, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, for or on behalf of a UAB/UABHS Covered Entity. A Business Associate of one UAB/UABHS Covered Entity does not become a Business Associate of any other UAB/UABHS Covered Entity simply by virtue of the UAB/UABHS Affiliation.

4.1.4. Direct Need-to-Know: Those persons or classes of persons, as appropriate who need access to specific protected health information to carry out their work-related duties.

4.1.5. Electronic Communication Network: This includes things such as the Internet, wireless, or wired network.

4.1.6. Electronic Protected Health Information (ePHI):  Protected health information that is created, received, maintained, or transmitted electronically by or on behalf of the health care component of the covered entity.

4.1.7. HIPAA: Health Insurance Portability and Accountability Act.

4.1.8. Minimum Necessary:  To make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.

4.1.9. Portable Computing Devices (PCDs): Include, but are not limited to, hand held devices (e.g. laptop computers, Palm, Handspring, Compaq, TRG, Pocket PCs, tablet PCs, notebook computers), pen pads, cell phones, personal digital assistants (PDAs), portable workstations on wheels and carts, biomedical devices that collect patient information or provide life support and medical treatment, and pagers that store data. Portable computing devices are battery operated (though they may support direct connection to utility power), freestanding devices used for the purposes of data storage, retrieval, analysis, and exchange. Such devices may interact with other networked systems, the internet, desktop personal computers via some form of interconnection and/or synchronization process.

4.1.10. Portable Storage Devices (PSDs): Include, but are not limited to, external hard disk drives, DVDs, CDs, flash drives, pen drives, USB drives, tapes, floppy disks, and other portable storage devices capable of acting as a transport agent for digital information.

4.1.11. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act and employment records held by a covered entity in its role as an employer.

4.1.12. Remote Access: Users outside of a covered entity’s network accessing data on the entity’s network.

4.1.13. Sensitive Information: Any information that may only be accessed by authorized personnel. It includes protected health information, financial information, personnel data, trade secrets and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled.

4.1.14. Strong Passwords: Passwords that are at least six to eight characters long and recommended to include upper and lower case alphanumeric characters and/or special characters, e.g. #, @, %, /, ?.

4.1.15. User: Any individual who accesses UAB/UABHS electronic protected health information assets.

4.1.16. User Account: Information used by a user to gain access to UAB ePHI resources. This includes, but is not limited to, user IDs, passwords, personal identification numbers (PIN), tokens, certificates, biometrics, and smart cards.

4.1.17. User ID: Synonymous with sign-on code.


5.1. Requests for access to UAB/UABHS’s ePHI shall be granted only to individuals with a direct need-to-know

5.18. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this standard, contact one of the following:

5.18.1. your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security-coordinators).

5.18.2. the HSIS Help Desk at 934-8888.

5.18.3. the UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu.

5.18.4. UAB/UABHS HIPAA Security Office at 975-0072.

5.18.5. UAB IT Data Security Office at 975-0842.



7. SCOPE: This standard applies to all UAB/UABHS entities covered under HIPAA and their systems that maintain ePHI and applicable business associates.


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.