Assignment and Management of Access Privileges
Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: Assignment and Management of Access Privileges
Policy Number: IS-08 (Administrative Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
To describe how access to electronic protected health information (e-PHI) is assigned, managed and terminated.
Access to the Drexel University (DU) institutional databases, servers and networks is a privilege granted by DU, to be used only for those purposes for which the access is authorized. The Security Officer determines which Workforce Members appropriately have access to the facility and to e-PHI.
1. Assignment of Access to e-PHI
In general, only DU employees shall have access to e-PHI. Under certain circumstances non-employees may be granted access under carefully monitored and restricted conditions. Such access is at the discretion of the Data Steward and/or System Administrator.
All Workforce Members who are allowed access to e-PHI are assigned a specific level of access. Workforce Members who do not need access to e-PHI are not given such access.
- DU maintains access profiles to specify which PHI may be used by Workforce Members in each job class. This information is available on DU's Access Classification Categories and Education Model Matrix.
- DU assigns a unique user identification number to all employees who access and use e-PHI in performing their job. The Security Officer creates, assigns and revokes user identification numbers.
Privileged access (often called root access) to operating system or database administration tools and interfaces for enterprise systems or systems housing confidential data or information will be at the discretion of the Security Officer. Each individual who develops or is given access to institutional databases or networks shall read and understand this policy and all derivative policies.
2. Termination of Access
When an individual’s employment with DU ends for any reason, the Privacy and Security Officers are notified. The terminating employee's access to e-PHI and the facility is terminated by removing his/her user identification from DU computers and obtaining the return of any other means of physical access, such as keys, key cards, ID numbers, access codes, etc.
Terminating employees are required to turn in Mobile Devices, portable computers and any other DU property, tangible or intangible.
45 CFR 164.308(a)(3), (a)(4)(i); 164.514(d)(2)
Cross References: IS-01, Access to e-PHI on DU Information Systems; IS-14, Audit Controls; HR-48, Termination Policy
Back to Top