Access Controls and Authentication
Drexel University Clinical Covered Entities
HIPAA Privacy and Security Program
Security Policies and Procedures
Policy Title: Access Controls and Authentication
Policy Number: IS-13 (Technical Safeguard)
Effective Date: April 20, 2005; September 23, 2013
Last Revision: September 1, 2017
Responsible Officer: Vice President, Chief Compliance, Privacy and Internal Audit Officer
Table of Contents
This policy applies to all Covered Entities within Drexel University.
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
The purpose of this Policy is to describe in detail the combination of policy and technical solutions that supports Drexel University's (DU) ability to create, implement and maintain the access controls to systems which contain electronic protected health information (e-PHI) as described in Policy IS-08, Assignment and Management of Access Privileges.
DU protects all e-PHI by multiple access control mechanisms and systems. Use of multiple access controls allows DU a layered approach to security and provides a greater security level as more than a single point of failure must occur before e-PHI can be accessed inappropriately.
- Access Profiles
DU maintains access profiles to specify which PHI may be used by Workforce Members in each job class. This information is available on DU's Access Classification Categories and Education Model Matrix. (See Policy No. IS-08, Assignment and Management of Access Privilege.) Access to the Internet may be managed based on the requirements of the employee's position. This determination will be made by the Department Administrator in conjunction with the Chief Operating Officer, Clinical Practice Group (for clinical users) and the Chairs (for academic and research users). Administrator privileges will be limited by System Administrators and granted to others by the Security Officer based on operational need.
- Unique User Identification
DU assigns a unique user identification number to all employees who access and use e-PHI in performing their job. The Security Officer creates, assigns and revokes user identification numbers. DU holds all employees accountable for how they use or disclose e-PHI under their unique user identification number, and users are expected to keep their user identification number secure and are not permitted to share it with anyone.
- Emergency Access
DU has developed an emergency access policy and procedure for obtaining necessary e-PHI in the event of an emergency. (See DU Contingency Plan.)
- Automatic Log-out or Log-off
DU employs the use of automatic log-off. That is based on a risk assessment and individual job duties. Workforce Members must re-authenticate themselves after automatic log-off in order to log on again.
DU has installed password protection measures to verify that anyone trying to access e-PHI is the person that (s)he claims to be. Workforce Members are expected to keep their passwords confidential and not to share them with anyone else.
45 CFR §§ 164.312 (a)(1)(ii), 164.312 (d)
Cross References: IS-08, Assignment and Management of Access Privileges; IS-01, Access to e-PHI on DU Information Systems
Back to Top