HIPAA Core Policy: Information Systems Account Management   



This policy sets forth guidelines for establishing minimum criteria for user account management.

Effective Date: 3/23/2016


Review/Revised Date: 3/23/2016


Category: Ethics and Integrity


Policy Owner: Provost

Policy Contact: Chief Privacy Officer



1. PURPOSE: To establish minimum criteria for user account management. 

2. PHILOSOPHY: Data available through each UAB Covered Entity's information systems shall maintain confidentiality, integrity, availability, and accountability. 

3. APPLICABILITY: This applies to all UAB Covered Entities: University Hospital, The Kirklin Clinic of UAB Hospital, the Kirklin Clinic of UAB Hospital at Acton Road, Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West, VIVA Health, Inc., the University of Alabama Health Services Foundation, Ophthalmology Services Foundation, Valley Foundation, other UABHS managed entitites that may be added from time to time, UAB School of Medicine, UAB School of Dentistry, UAB School of Optometry, UAB School of Health Professions, UAB School of Nursing, School of Education Community Clinic, UAB Health Plans, and other covered entities that may be added from time to time. For purposes of this policy, UAB Covered Entities shall be referred to as "UAB". 


4.1. Definitions:

4.1.1. Account Administrator: Individuals who are charged with adding, disabling, and modifying access granted to users and other types of accounts such as service accounts.

4.1.2. Authentication mechanism: Items such as, but not limited to, passwords, tokens, biometrics, and smart cards.

4.1.3. Minimum Necessary: To make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.

4.1.4. Separation: The cessation of an individual's authority to occupy any role and perform any responsibilities on behalf of UAB. This may occur through the resignation of personnel, the dismissal of personnel or the termination of contractual agreements.

4.1.5. Strong passwords: Current industry best practices identify this as a minimum of eight alpha-numeric characters with at least one upper case and one special character.

4.1.6. User account: An established relationship between a user and a computer network, service, or application. User accounts are assigned a user ID and are uniquely identifiable and traceable to one user or entity. 

4.1.7. User ID: An individual ID used to identify a unique individual when logging into an information resource such as a computer, network, service, or application. synonymous with sign-on code.

4.2. Background Information: Access is determined by position, role, and/or responsibility. If an employee's position, role, and/or responsibility change, system access shall be reevaluated as to its applicability. If the user believes that his/her account has been compromised, the user must contact their information systems help desk to report the occurrence and change his/her account information.


5.1. Unique User Identification 

5.1.1. All users must have a standard unique identifier (user ID) assigned for accessing UAB information resources.

5.1.2. Whenever possible, UAB information resources shall prohibit concurrent or simultaneous access by the same user ID except in cases where business use has been deemed necessary and appropriate and authorized by management. 

5.1.3. Generic user IDs shall only be allowed where the functions accessible or activities carried out by the ID do not need to be traced or audited.

5.1.4 Service accounts used for communications between systems and to operate services within a server environment shall be unique and shall be held confidential by the system administrators. UABIT and UABHS HSIS shall establish auditable procedures to securely maintain and access service accounts by systems administrators.

5.2. A user's account shall be promptly deactivated upon notification of separation of his relationship with UAB.

5.3. Users shall be given the minimal necessary access privileges to perform their duties. If a user's position, role, and/or responsibility changes the user's account privileges shall be reevaluated and modified (if necessary) by their manager to match the minimum necessary for the current position's responsibilities.

5.4. All systems and applications are required to use at least a user identifier (typically a user ID) and an authentication mechanism, i.e. password, token, biometrics, smart card.

5.5. Minimally each department or clinical area shall have a designated written authorization process for granting access to UAB information resources. This process shall include a procedure for validating a user's identity and notifying the user's supervisor. Such a process shall include how the person granting access is identified. This person shall be a specifically identified individual who grants others access to resources.

5.5.1. All account requests shall at least include the last four digits of a user's social security number or an equivalent, such as employee number or logon ID.

5.5.2. All users requesting an account shall be required to provide their name as it appears on their personnel records (if applicable), department, title, phone number, and their supervisor's name and email address.

5.6. A process to document initial account requests shall be in place for each system.

5.7. Personnel shall notify the appropriate information systems help desk of any account violations.

5.8. Newly implemented systems and current systems with the capability shall comply with the following policies. Existing systems without the capability shall use their maximum available security features and work to comply with the following policies as systems are upgraded.

5.8.1. All systems shall enforce strong password selection.

5.8.2. All systems shall have audit trail capabilities that provide documented evidence of user access.

5.8.3. Passwords shall not be viewable to users or system administrators.

5.8.4. Passwords shall be stored encrypted on the system.

5.8.5. Default passwords and PINs shall be changed. 

5.8.6. Guest accounts shall be disabled.

5.8.7. The system shall prompt a user to choose a new password upon initial access to the system or after his account has been reset.

5.9. Users' Responsibilities:

5.9.1. Users shall protect account information and prevent use of their IDs, passwords, PINs, and tokens by others.

5.9.2. Users shall access information appropriately - with individually-assigned accounts and in compliance with UAB standards and policies.

5.9.3. Users shall not re-use expired passwords for at least 4 password-expiration cycles.

5.9.4. Users shall choose a new password upon initial access to the system and each time the password is reset by the administrator - to the extent that password change capabilities are supported by the system.

5.9.5. Users shall choose strong passwords - to the extent that strong password capabilities are supported by the system.

5.9.6. Users have a responsibility to close or log off applications or lock the workstation immediately after use.

5.9.7. Users shall provide account administrators with their manager's contact information (name, e-mail and phone number) when directly requesting access to information resources.

5.9.8. Vendors and contractors shall not be granted access to without approval of the UAB sponsoring department. Access requests shall be submitted by the vendor's/contractor's assigned UAB management contact.

5.9.9. Users shall contact the appropriate system administrator for password resets and user account issues.

5.9.10 Users shall not verbally reveal their password to the helpdesk or any other person asking for the password. If the helpdesk needs the password, it will be a reset.

5.10. Account Administrators' Responsibilities:

5.10.1. Account administrators shall notify the user's manager when the user submits a direct request for access.

5.10.2. Account administrators shall add, modify, and disable user accounts upon notification from the appropriate manager.

5.10.3. Account administrators shall periodically analyze system logs to determine accounts that may have been compromised.

5.10.4. Account administrators shall not accept access requests from vendors or contractors. Access requests for vendors and contractors shall be submitted by UAB management with oversight for the vendors'/contractors' activities.

5.10.5. Account administrators shall ensure that systems are configured to comply with this policy.

5.11. Managers' Responsibilities:

5.11.1. Managers shall ensure and justify appropriate access for those under their supervision - including employees, vendors, contractors, and other third parties.

5.11.2. Managers shall provide account administrators with a projected separation date or contract termination date when requesting user accounts for temporary employees, vendors, contractors, and other third parties.

5.11.3. Managers shall ensure that access rights are the minimum necessary and commensurate with current job responsibilities for all individuals under their supervision.

5.11.4. Managers shall review, approve, and submit requests for the user accounts of those individuals under their supervision.

5.11.5. Managers shall ensure that individuals under their supervision are trained to access and use UAB information resources.

5.11.6. Managers shall enforce standards, policies, and procedures associated with the use of UAB information resources.

5.11.7. Managers shall notify relevant account administrators upon an employee's termination or transfer and upon a vendor's, a contractor's, or another third-party's completion of service.

5.12. UAB employees who do not follow the above policies may be subject to disciplinary action up to and including dismissal.

5.13. Vendors or contractors who do not follow the above policies may be subject to breach of contract penalties.

5.14. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

5.14.1. your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security-coordinators)

5.14.2. the HSIS Help Desk at 934-8888

5.14.3. the UAB IT AskIT Help Desk at 996-5555 or askit@uab.edu

5.14.4. UAB/UABHS HIPAA Security Office at InfoSec@uabmc.edu or (205) 975-1440

5.14.5. UAB IT Data Security Office at 975-0842

6. ENFORCEMENT: Any user found to have violated this policy maybe subject to disciplinary action, up to and including termination of employment or assignment, depending on the severity of the infraction. In addition, UAB may report the matter to civil and criminal authorities as may be required by law.


8. SCOPE: This standard applies to all UAB/UABHS entities covered under HIPAA and their systems that maintain PHI.


To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.