Date: Thu, 28 Mar 2024 11:34:37 -0500 (CDT) Message-ID: <1244038802.1239.1711643677127@wiki.ncsa.illinois.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_1238_509457646.1711643677124" ------=_Part_1238_509457646.1711643677124 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Document Name: NCSA HIPAA Access Control Poli=
cy and Procedures
Version: 1.1
Accountable: James Eyrich
Authors: Adam =
Slagell
This document specifies the procedures for granting, revoking and auditi= ng access control to systems processing or storing ePHI (electronic Persona= l Health Information) covered by HIPAA.
These processes apply only to staff in the NCSA Health Care Component. N= CSA customers and other Business Associates (BAs) are responsible for autho= rization decisions of their own staff and can manage their access control g= roups directly. Users of the system from other parts of the University must= be part of the University covered entity, and a Principal Investigator (PI= ) is responsible for authorization decisions for their project teams and ca= n modify group credentials directly. Regardless of the approval process, NC= SA will record the access changes made by Business Associates to ACHE resou= rces through its authorization framework.
All requests to add or revoke acce= ss to the ACHE must be approved by the HIPAA liaison. The HIPAA liaison mai= ntains a list of staff who have elevated privileges with the ability to mak= e changes to the ACHE. The HIPAA liaison grants access in accordance with m= inimum necessary standard per the HIPAA Privacy Rule.
NCSA will track approvals and changes made to access groups, keeping rec= ords for 6 years or from the inception of the program. Each step of the fol= lowing workflows is approved by a member of the NCSA Health Care Component = while logged in with their personal credentials, and each approval sends em= ails to the approver and other relevant parties.
Alerts are sent to the Security Office and HIPAA liaison anytime there a= re direct modifications to the group management system that were not trigge= red by the approval workflow engine. Such legitimate changes are checked fo= r by automated systems at least daily.
NCSA staff must be within the NCSA Health Care Component to make a = valid request to be added to a system access group for system processing or= storing ePHI. Being in the NCSA Health Care Component itself does NOT gran= t any access, which must instead be requested by the staff member via the f= ollowing process.
Deauthorization can happen automatically or by request. For example, bei= ng removed from the staff group upon leaving the NCSA will automatically re= move one from the NCSA Health Care Component and by consequence from any ac= cess group for systems with ePHI. Therefore, even if a person leaves NCSA a= nd has another legitimate reason for access in another unit, they will have= to be reapproved by a PI in that unit to be added to the necessary group(s= ) for their project. The security office can also disable credentials and r= emove anyone from any group at anytime, though an alert will be sent to the= m and the HIPAA liaison.
Employees, their managers, and the HIPAA liaison can request de-authoriz= ation as well via the following workflow.
All NCSA group owners are required to review group membership annually a= nd approve or modify it. This includes customers who are BAs and their poin= t of contact and PIs at the University. Access control groups that provide = access to systems with ePHI are owned by the HIPAA liaison who must do the = same, or the group is suspended automatically.