Password and System Confidentiality
Drexel University Clinical Covered Entities
Privacy Program Policies and Procedures
Policy Title: Password and System Confidentiality
Policy Number: IM-18
Effective Date: April 14, 2003; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Drexel University (DU) requires that each employee maintain system "password" information as confidential information. All employees are personally responsible for misuse of the system if a personal password is shared and leads to misuse of access to the system. Email passwords are to be changed at 180-day intervals. Automated system reminders will be sent to users 14 days and again 7 days prior to password expiration.
This Policy meets the requirement to inform employees of DU that patient privacy practices require strict confidentiality of the personal "password".
- All employees will maintain "password"(s) in a confidential manner. Passwords are not to be "shared" or placed in open view.
- Employees are required to change passwords as directed by information technology notice of scheduled changes in passwords. (180 days)
- The misuse of a password and misuse of system access caused by failure to protect a password will be addressed as dictated by the progressive discipline program.
- The Department Administrator or designee may maintain a list of employee voice mail or system passwords for emergency access purposes. Such lists should be maintained in a secure manner.
- System access is to be terminated upon employee departure from the organization.
- If the employee changes positions or department of employment, system access should be assessed.
Back to Top