Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 12 - Access Control

 

Title: Unique User Identification Policy: SEC-12.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.312(a)(2)(i) 
Standard: Access Control Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To ensure each OSU employee has their own computer account

Policy

OSU will assign a unique name and/or number for identifying and tracking user identity.  §164.312(a)(2)(i)

Each OSU employee will use their own user specific computer account to access systems containing ePHI.
Procedure

Practice Management, Electronic Medical Records and other systems utilizing ePHI.

  1. Unique user identification is created in the software for each employee as described in the Access Authorization policy.
  2. For authentication to Windows and the network, users will use their active directory log-in or Okey Account.
  1. The user then logs into the software with their unique user-id.
  2. For procedures in maintaining a secure computer account see Password Guidelines.
  3. Procedures for tracking user logons can be found in Log-in Monitoring.
Reference

Access Authorization
Password Guidelines
Log-in Monitoring


top of page top

 

Title: Emergency Access Procedure Policy: SEC-12.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.312(a)(2)(ii)
Standard: Access Control Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Provide guidelines on how to access EPHI during an emergency.

Policy

OSU will establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.  §164.312(a)(2)(ii)

During an emergency, alternative means of accessing necessary ePHI will be made available to clinic and financial staff.
Procedure

If a single clinic is without access, other clinic locations will be designated to provide access to records and financial information.  Primary clinical and financial information can be accessed at an available site and communicated back to the limited location.  Based on the expected duration of inaccessibility, patients can be rescheduled to other locations or triaged.  If all clinics are without access, but the server is available, designated personnel will provide requested ePHI in printed format.  Operational information about scheduling is available via preprinted schedules.

In the event of a major emergency, the systems vendor will be contacted to develop an alternate method of accessing ePHI.

OSU will revert to Emergency Mode Operations in the event of a Major Emergency, such as a natural disaster.
Reference

Disaster Recovery


top of page top

 

Title: Automatic Logoff Policy: SEC-12.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.312(a)(2)(iii)
Standard: Access Control Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To ensure an automatic logoff procedure occurs for ePHI systems.

Policy

OSU will implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.  §164.312(a)(2)(iii)

Procedure
Security is an issue that is shared by each employee. Once a user logged in to EMR or Practice Management reaches an idle activity time of 25 minutes, the system will automatically log them off. In addition, once the user’s computer reaches an idle activity time of 25 minutes, a password protected screen saver will be automatically enforced.

top of page top

 

Title: Encryption & Decryption Policy: SEC-12.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.312(a)(1)(iv)
Standard: Access Controls Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Identify the methods to securely encrypt and decrypt EPHI.

Policy

OSU will implement a mechanism to encrypt and decrypt electronic protected health information.  §164.312(a)(1)(iv)

All access to CHS medical servers will be restricted by using only the vendor supplied client applications.

Procedure

The Supervisor of an individual employee requesting access determines what access to EMR & Practice Management is given, and the HIPAA Compliance Office will either approve or deny the request as stated in the Access Authorization policy. Each computer on the campus network connects to either server via a private network and encrypted client software. Anyone who wishes to access these systems remotely must use OSUVPN Gateway.

All clinical Laptops are to have whole disk encryption before being deployed to end user.

All portable storage devices in the clinic system will also have whole disk encryption before being deployed to the end user.

The OSU in Tulsa Information Technology department will install encryption software on all laptops currently in use on the OSU CHS campus and at clinical locations. Once completed, the list will be provided to the OSU CHS HIPAA Compliance Office. Beginning FY14, laptops purchased for the use at OSU-CHS and at clinical locations will use hard drive encryption and not software encryption.

The OSU in Tulsa Information Technology department will store software encryption keys in a secure network location. IT administrators are the only individuals who will have access to the software keys and will only be used to restore files.

Reference

Access Authorization


top of page top

 

Title: Temporary Staff Access Policy: SEC-12.05
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.312(a)(1) 
Standard: Access Control Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Identify methods of ensuring temporary staff and visiting medical students have the minimum necessary but appropriate level of access to OSU PHI, and ensure the methods used are auditable.

Policy

Temporary staff and/or Med Students in the clinic system who do not have their own O-key account may have access through departmentally sponsored temporary O-Key accounts.

Procedure
  1. Each clinic/department that wishes to utilize temporary staff for various reasons may obtain temporary O-Key Service accounts from the I.T. Department.
  2. Upon activation of the service accounts, the requesting Department may utilize ID cards for access control.  Many of the OSU clinic locations utilize locked doors with card reader technology that requires an individual to swipe the card through the reader to open the door.  The requesting Department is required to keep an electronic, auditable log of ALL temporary staff and to which account/card they have been assigned while at OSU.
  3. The requesting Department may also request access to certain computer software programs that contain PHI.  These programs the Electronic Health Record, Practice Management System and Document Imaging systems, the three main systems for clinical records.  Upon approval from the HIPAA Compliance Office, and after account creation by IT, it is the requesting Department’s responsibility to request deactivation of temporary staff when employment/temp status ends.
  4. If the requesting Department utilizes the RFID card technology to access the various software systems, the temporary staff member is NOT eligible to use an RFID card.
  5. If a temporary staff member gets re-assigned to a different department, access must be terminated under the current credentials, and the new department is to start the request process over.
  6. The audit logs each department are required to keep are to be made available to IT, Internal Audits, and the HIPAA Compliance Office.
  7. New Employees who have yet to receive their personal Okey are not eligible for a temporary service account.  They must wait until their personal Okey account is created to get access to the various systems.
Definitions
  • Temporary Employee: Any employee who is hired, either through the university or through an agency, for a short term basis, that by default does not receive an O-key account as terms of employment.  Volunteers are required to sign the Volunteer Statement of Understanding through Human Resources.
  • RFID: Radio Frequency Identification.  To access some of the computer terminals at OSU, one may utilize an ID card with an RFID chip embedded in the card.  This automatically logs the user in under the information stored within the chip, bypassing typing in login credentials.
  • Med Students: Medical degree seeking students from other schools and Universities that do not have and will not get an Okey account because of the short length of stay in our system.

top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube