Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 3 - Information Access Management

 

Title: Isolating Health Care Clearinghouse Functions Policy: SEC-03.01
Category: HIPAA Compliance Authority: 45 CFR §164.308(a)(4)(ii)(A)
HIPAA Section:
162.930, 164.105
Standard: Information Access Management Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Isolate Clearinghouse Functions

Policy

OSU’s clearinghouse is part of a larger organization.  The clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.  §164.308(a)(4)(ii)(A)

Procedure
  1. The vendor contracted for clearinghouse purposes for OSU is to have a Business Associate Agreement in place.
  2. Claims are submitted electronically to the clearinghouse vendor or OSU.
  3. The clearinghouse vendor sends a report back showing what was received.
  4. The clearinghouse vendor or OSU submits claims to the various insurance companies.
For OSU Clearinghouse Functions
  1. OSU will use the NPI of any health care provider (or subpart(s), if applicable) that has been assigned an NPI to identify that health care provider on all standard transactions where that health care provider’s identifier is required.
  2. When acting as a business associate for another covered entity, OSU’s clearinghouse may perform the following functions:
    • (a) Receive a standard transaction on behalf of the covered entity and translate it into a nonstandard transaction (for example, nonstandard format and/or nonstandard data content) for transmission to the covered entity. 
    • (b) Receive a nonstandard transaction (for example, nonstandard format and/or nonstandard data content) from the covered entity and translate it into a standard transaction for transmission on behalf of the covered entity.
  3. As a hybrid entity, OSU’s clearinghouse will not disclose protected health information to OSU Physicians unless a person performs duties for both the clearinghouse and the Physicians Clinics.  That member of the workforce will not use or disclose protected health information created or received in the course of or incident to the member’s work for  either the clearinghouse or the Physicians.
  4. OSU will comply with § 164.316(a) and § 164.530(i), pertaining to the implementation of policies and procedures to ensure compliance with applicable requirements.
  5. OSU maintains that it is not an Affiliated Covered Entity and complies with § 164.308(a)(4)(ii)(A) isolating the protected health information of the clearinghouse from unauthorized access by OSU Physicians.  And will keep this documentation on record for six (6) years, even if the status changes.
  6. The physical clearinghouse database is stored on separate servers and the network traffic goes through different routers than that of the physicians clinics.

top of page top

 

Title: Access Authorization Policy: SEC-03.02
Category: HIPAA Compliance Authority: 45 CFR § 164.308(3)(ii)(A)(B)
HIPAA Section:
164.308(a)(4)(ii)(B)
Standard: Information Access Management Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify the proper steps and process for Access Authorization.        

Policy

OSU will implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

Procedure

All OSU employees who need access to electronic protected health information as assigned in their job description will only have access to the minimum necessary to do their job.

The supervisor of the employee is the one who will determine what level of access is needed.

The supervisor will then follow the steps outlined in SEC-03.03 Access Establishment & Modification for actual account request.

The HIPAA Compliance Office and the Change Control Committee will regularly audit the levels of access of the various systems to ensure the minimum necessary standard is met.
Reference

SEC-03.03 Access Establishment and Modification
OSU Confidentiality Agreement
PRV-07.03 Minimum Necessary Uses of Protected Health Information


top of page top

 

Title: Access Establishment and Modification Policy: SEC-03.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(4)(ii)(C)
Standard: Information Access Management Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Access Establishment and Modification          

Policy

OSU will implement policies and procedures that, based upon OSU’s access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.

Procedure

All OSU-CHS employees who wish to have access to any computer system that contains PHI, will fill out the EMR/Practice Management Account Request Form found here: http://www.osu-tulsa.okstate.edu/it/chs/arf.php

  1. After employee has an active Okey account, the supervisor shall fill out the form for the employee.
  2. The supervisor shall pick which system(s) the employee needs access to.
  3. The supervisor shall select which level of security for each system the employee needs.
  4. Depending on the system and level of security chosen, a reason why that level of access is needed.
  5. Once completed, the form must be printed out and signed by both employee and supervisor.
  6. The form will then be faxed to the HIPAA Compliance Office at the fax number listed on the form.
  7. Delivering the form in person, or via inter-department mail is also acceptable.

Upon receiving the completed and signed form, the HIPAA Compliance Office will either approve or deny access.  If there is a denial, it is not required that the employee be notified of the denial or the reason thereof.

Once the HIPAA Compliance Office approves access to the various systems, the Office will notify I.T. of the approval and then I.T. will either create the new access or forward the request on to the individual who is in charge of new account creation or modification for the various systems that OSU-CHS uses. 

If an employee needs a change/modification in security for one of the various systems, the same steps outlined above are to be followed.

If the form is received by the HIPAA Compliance Office and it is not complete, or does not contain the two required signatures, the HIPAA Compliance Office shall not approve any access until the form is completed in its entirety.  If a form is received and contains one person’s signature twice for both the employee and supervisor, access will be denied.

The HIPAA Compliance Office will keep a copy of all requests on paper and/or electronically.

Reference

Access Authorization
OSU Confidentiality Agreement


top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube