The purpose of the Authorization/Supervision policy is:
- Establish written procedures for granting and revoking access to protected health information and computer systems.
- Develop levels of access to each Individuals and required changes based on employee’s responsibilities (promotions, termination, changes in duties, etc.).
- Establish policies regarding security training and necessary updates.
- Establish procedure for supervision of vendors when working on or close to protected information.
Procedure: Some of the tasks required under this policy have been covered in greater detail under subsequent policies. Regardless, the basic procedures are as follows:
- Position descriptions have been updated to define rights to information based on personnel’s responsibilities.
- Position descriptions accurately reflect assigned duties and responsibilities and enforce segregation of duties.
- A system of authentication is in place to ensure that Individuals are who they claim to be prior to allowing access to any equipment containing ePHI.
- Workstations containing computer terminals are secured with physical safeguards to minimize the possibility of unauthorized observation or access to ePHI.
- Areas where sensitive information is regularly entered or utilized have been secured using barriers to prevent public viewing of ePHI during normal working hours. Wherever feasible these areas will be locked when not in use.
- Printers and fax machines have been located in the most secure areas available, and will not be located in or near areas frequented by individuals or the public.
- Written procedures have been developed and are reviewed and updated by the Security Manager to delineate steps needed to grant and revoke access to employees.
