...
| Panel |
|---|
Document Name: NCSA HIPAA Access Control Approved: June 30, 2016 |
| Table of Contents |
|---|
...
These processes apply only to staff in the NCSA Health Care Component. NCSA customers and other Business Associates (BAs) are responsible for authorization decisions of their own staff and can manage their access control groups directly. Users of the system from other parts of the University must be part of the University covered entity, and a Principal Investigator (PI) is responsible for authorization decisions for their project teams and can modify group credentials directly. Regardless of the approval process, NCSA will record the access changes made by Business Associates to ACHE resources through its authorization framework.
Policy
All requests to add or revoke access to the ACHE must be approved by the HIPAA liaison. The HIPAA liaison maintains a list of staff who have elevated privileges with the ability to make changes to the ACHE. The HIPAA liaison grants access in accordance with minimum necessary standard per the HIPAA Privacy Rule.
Procedures
NCSA will track approvals and changes made to access groups, keeping records for 6 years or from the inception of the program. Each step of the following workflows is approved by a member of the NCSA Health Care Component while logged in with their personal credentials, and each approval sends emails to the approver and other relevant parties.
...