Skip to main site navigation
Skip to main content
Switch to text-only view
Switch to default view
Thumbdrive in computer

HIPAA Authorized Access Standard

  • Standard - SBIT-202
  • Status     - Adopted August 1, 2010
  • Source    - Office of the Vice Chancellor for Information Technologies

Scope
This Standard applies to any IU South Bend departments, services, or groups who are a Covered Entity or who act on behalf of a Covered Entity that use or disclose electronic protected health information (ePHI) for any purposes regardless of affiliation, and irrespective of whether those resources are accessed from on-campus or off-campus locations.

Rationale
 CE must prevent unauthorized access to information systems containing ePHI. Only properly authorized workforce members must be provided this access. The type and extent of access authorized to CE information systems containing ePHI must be based on a risk analysis. Access to CE information systems containing ePHI must be granted only to properly trained CE workforce members who have a need for ePHI in order to accomplish a legitimate task.

Statement

1. CE must protect the confidentiality, integrity, and availability of its information systems containing ePHI by preventing unauthorized access while ensuring that properly authorized workforce member access is allowed.

2. Access to CE information systems containing ePHI must be granted only to workforce members who have been properly authorized.

3. The type and extent of access to CE information systems containing ePHI must be based on risk analysis. At a minimum, the risk analysis must consider the following factors:

  • The importance of the applications running on the information system
  • The value or sensitivity of the ePHI on the information system
  • The extent to which the information system is connected to other information system

4. Access to CE information systems containing ePHI must be authorized only for properly trained CE workforce members having a legitimate need for specific information in order to accomplish job responsibilities. All such access must be defined and documented. Such access must be regularly reviewed and revised as necessary.

5. Access to CE information systems containing ePHI must be established via a formal, documented process. At a minimum, this process must include:

  • Identification and definition of permitted access methods
  • Identification and definition of how long access will be granted to user
  • Procedure for granting a workforce member an access method (e.g. password or token) or changing an existing access method
  • Procedure for managing access rights in a distributed and networked environment
  • Procedure for managing access rights in a distributed and networked environment 
  • Appropriate tracking and logging of actions by authorized workforce members on CE information systems containing ePHI

6. CE workforce members must not attempt to gain access to CE information systems containing ePHI for which they have not been given proper authorization.

7. CE must ensure that all workforce members who have the ability to access CE information systems containing ePHI are appropriately authorized and supervised.

8. CE workforce members must be adequately screened during the hiring process, including background checks.

9. As defined in CE ’s Termination Procedures policy, CE must create and implement a formal, documented process for terminating access to ePHI when the employment of a workforce member ends.

10. If the CE utilizes a health care clearinghouse, the clearinghouse must implement policies and procedures that protect ePHI from unauthorized access.

Definitions

ePHI - Electronic protected health information
means individually identifiable health information that is:

  • Transmitted by Electronic Media
  • Maintained in Electronic Media

Electronic media
(1) Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or

(2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.

Information system
means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.

 Workforce member
means employees, volunteers, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity. This includes full and part time employees, affiliates, associates, students, volunteers, and staff from third party entities who provide service to the covered entity.
Availability means the property that data or information is accessible and useable upon demand by an authorized person.

Confidentiality
means the property that data or information is not made available or disclosed to unauthorized persons or processes.
Integrity means the property that data are accurate and consistent and have not been altered or destroyed in an unauthorized manner.

Risk analysis
means a systematic and analytical approach that identifies and assesses risks to the confidentiality, integrity or availability of a covered entity’s ePHI. Risk analysis considers all relevant losses that would be expected if specific security measures protecting ePHI are not in place. Relevant losses include losses caused by unauthorized use and disclosure of ePHI and loss of data integrity.

Sanctions

Failure to comply with Indiana University South Bend information technology standards and policies may result in sanctions relating to the individual's use of information technology resources (such as suspension or termination of access, or removal of online material); to the individual's employment (up to and including immediate termination of employment); civil or criminal liability; or any combination of these; for departments, may result in restrictions placed on access to ePHI data residing on IT hosts, or network access restrictions placed on hosts containing ePHI.

Related Policies, Laws, and Documents

Campuses, schools, colleges, departments, and other administrative units may have issued local policies and standards governing the appropriate use of information technologies deployed specifically to support that unit's activities. Managers of information technology services may have issued service-level polices and standards governing the appropriate use of their services. In order to understand and adhere to these requirements, users of these resources are responsible for consulting with appropriate unit or service staff.

Standard History

  • Approved August 1, 2010