Document Name: NCSA HIPAA Access Control Standard
|Table of Contents|
This document specifies the procedures for granting, revoking and auditing access control to systems processing or storing ePHI (electronic Personal Health Information) covered by HIPAA.
This applies These processes apply only to staff in the NCSA Health Care Component. NCSA customers and other Business Associates (BAs) are responsible for authorization decisions of their own staff and can manage their access control groups directly. Users of the system from other parts of the University must be part of the University covered entity, and a Principal Investigator (PI) is responsible for authorization decisions for their project teams and can modify group credentials directly. Regardless of the approval process, NCSA will record the access changes made by Business Associates to ACHE resources through its authorization framework.
NCSA will track approvals and changes made to access groups, keeping records for 6 years or from the inception of the program. Each step of the following workflows is approved by a member of the NCSA Health Care Component while logged in with their personal credentials, and each approval sends emails to the approver and other relevant parties.
NCSA staff must be within the NCSA Health Care Component to even make to make a valid request to be added to a system access group for system processing or storing ePHI. Being in the NCSA Health Care Component itself does NOT grant any access, which must instead be requested by the staff member via the following process.
- Staff member submits request for access with the stated reason for the request. This request contains the requested access group name.
- Staff member's manager approves or rejects the request.
- Request Approved request proceeds to the HIPAA liaison who considers the staff member's role and reason for the request. They also verify that the person has taken approved HIPAA training.
- If approved and they are in the NCSA Health Care Component group, they are added to the requested group(s).
- Emails are sent to the staff member, their manager and the HIPAA liaison.