...
Employees, their managers, and the HIPAA liaison can request de-authroization authorization as well via the following workflow.
- Employee requests removal with justification and the access control groups they need to be removed from. (Optional: Can start with their manager)
- Request is received by (or starts with) the employee's manager who approves the request or fills in the same details if they start the request. (Optional: Can start with the HIPAA Liaison).
- The HIPAA Liaison either receives the request or starts a new one specifying the person and which groups they are to be removed from.
- If approved, the person is removed from the access control groups.
- Emails are sent to the staff member, their manager and the HIPAA liaison.
Audits
All NCSA group owners are required to review group membership annually and approve or modify it. This includes customers who are BAs and their point of contact and PIs at the University. Access control groups that provide access to systems with ePHI are owned by the HIPAA liaison who must do the same, or the group is suspended automatically.