Goal: Discusses what the organization should do to appropriately control and validate physical access to its facilities containing information systems having ePHI or software programs that can access ePHI.
The purpose of this policy is to maintain an adequate level of security to protect patient data and information systems from unauthorized access. This policy defines the rules necessary to achieve this protection and to ensure a secure and reliable operation of Practice information systems.
Procedure: Only authorized users are granted access to information systems, and users are limited to specific defined, documented and approved applications and levels of access rights. Computer and communication system access control is to be achieved via user IDs that are unique to each individual user to provide individual accountability.
- Access controls will be applied to all computer-resident information based on its’ Data Classification to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable.
- Covered Entity approved system access controls will be used to limit user access to only those applications and functions for which they have been authorized.
- Users will be granted access to information on a “need-to-know” basis. That is, users will only receive access to the minimum applications and privileges required performing their jobs. The granting of access will take into account potential conflict with segregation of duties or incompatible job functions, and the level of access required before giving approval.
- System access will not be granted to any user without appropriate approval. Management is to immediately notify the System Administrator and report all system access changes in user duties or employment status. User access is to be revoked immediately if the individual has been terminated.
- Users are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. System privileges allowing the modification of ‘production data’ must be restricted to ‘production’ applications
- Users are responsible for all actions taken under their sign-on
- Workstations should invoke password-enabled screen savers
- When leaving a workstation the user is expected to properly log out of all application’s and networks.
- Unattended workstations should enforce a time-out. Resumption of access will require the user’s password.
