Unit 2 Assignment 2: Procedure Guide on Access Control
I. Access Control Procedure
a. If a system does not support the minimum structure and complexity as detailed in the aforementioned guidelines, one of the following procedures must be implemented: i. The password assigned must be adequately complex to insure that it is not easily guessed and the complexity of the chosen alternative must be defined and documented. ii. The legacy system must be upgraded to support the requirements of this paragraph as soon as administratively possible. iii. All EPHI must be removed and relocated to a system that supports the foregoing security password structure. iv. Users or workforce members must not allow another user or workforce member to use their unique user identification or password. v. Users or workforce members must ensure that their user identification is not documented, written, or otherwise exposed in an insecure manner. vi. Each user and workforce member must ensure that their assigned User Identification is appropriately protected and only used for legitimate access to networks, systems, or applications. If a user or workforce members believes their user identification has been comprised, they must report that security incident to the appropriate Security Officer
b. Emergency Access
i. WU HIPAA Security Policy requires procedures to ensure that access to a system that contains EPHI and is used to provide patient treatment is made available to any caregiver in the case of an emergency if the denial or strict access to that EPHI could inhibit or negatively affect patient care. During extreme emergency conditions, RO would rely upon BJH electronic access to the IMPAC electronic medical record as well as BJH Health Informations Management (HIM) for access to the physical medical record. c. Automatic Logoff
i. Servers, workstations, or other computer systems containing EPHI repositories that have been classified as high risk (See HIPAA Security Policy #2 -- Security Management) must employ inactivity timers or automatic logoff mechanisms. The aforementioned systems must terminate a user session after a maximum of 15 minutes of inactivity. WU RO manages no high risk data repositories. ii. Servers, workstations, or other computer systems located in open, common, or otherwise insecure areas, that access, transmit, receive, or store EPHI must employ inactivity timers or automatic logoff mechanisms. (i.e., password protected screensaver that blacks out screen activity.) The aforementioned systems must block a user session after a maximum of 15 minutes of inactivity. iii. Applications and databases using medium or high risk EPHI, such as electronic medical records (EMR), must employ inactivity timers or automatic session logoff mechanisms. The aforementioned application sessions must automatically terminate after a maximum of 30 minutes of inactivity. II. Access Control Procedure
a. Servers, workstations, or other computer systems that access, transmit, receive, or store EPHI, and are located in locked or secure environments need not implement inactivity timers or automatic logoff mechanisms. b. If a system that otherwise would require the use of an inactivity timer or automatic logoff mechanism does not support an inactivity timer or automatic logoff mechanism, one of the following procedures must be implemented: i. The system must be upgraded or moved to support the required inactivity timer or automatic logoff mechanism. ii. The system must be moved into a secure environment.
iii. All EPHI must be removed and relocated to a system that supports the required inactivity timer or automatic logoff mechanism. c. When leaving a server, workstation, or other computer system unattended, Workforce members must lock or activate the systems automatic logoff mechanism (e.g. CNTL, ALT, DELETE and Lock Computer) or logout of all applications and database systems containing EPHI.
III. Encryption and...
Please join StudyMode to read the full document