1. PURPOSE: To establish minimum criteria for user account management. 

2. APPLICABILITY: This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, The Whitaker Clinic of UAB Hospital, UAB Callahan Eye Hospital Authority and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, an Affiliate of UAB Medicine Enterprise, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., Valley Foundation, and other UAB Medicine Enterprise managed entities that may be added from time-to-time. For purposes of this policy, UAB and UAB Medicine Enterprise Covered Entities shall be collectively referred to as “UAB.”

3. ASSOCIATED INFORMATION:

3.1. Definitions:

3.1.1. Account Administrator: Individuals charged with adding, disabling, and modifying access granted to users and other types of accounts such as service accounts.

3.1.2. Authentication mechanism: Items such as, but not limited to, passwords, tokens, biometrics, and smart cards.

3.1.3. Minimum Necessary: To make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.

3.1.4. Separation: The cessation of an individual's authority to occupy any role and perform any responsibilities on behalf of UAB. This may occur through the resignation of personnel, the dismissal of personnel, or the termination of contractual agreements.

3.1.5. Strong passwords: HIPAA requires a minimum of eight alpha-numeric characters with at least one upper case and one special character.

3.1.6. User account: An established relationship between a user and a computer network, service, or application. User accounts are assigned a user ID and are uniquely identifiable and traceable to one user or entity. 

3.1.7. User ID: An individual ID used to identify a unique individual when logging into an information resource such as a computer, network, service, or application. Synonymous with sign-on code.

3.2. Background Information: Access is determined by position, role, and/or responsibility. If an employee's position, role, and/or responsibility change, system access shall be reevaluated as to its applicability. If the user believes that his/her account has been compromised, the user must contact his/her information systems help desk to report the occurrence and change their account information.

4. POLICY:

4.1. Unique User Identification: 

4.1.1. All users must have a standard unique identifier (user ID) assigned for accessing UAB information resources. This unique identifier cannot be changed.

4.1.2. Whenever possible, UAB information resources shall prohibit concurrent or simultaneous access by the same user ID except in cases where business use has been deemed necessary and appropriate and authorized by management. 

4.1.3. Service accounts used for communications between systems and to operate services within a server environment shall be unique and shall be held confidential by the system administrators. UABIT and UAB Medicine HSIS shall establish auditable procedures to securely maintain and access service accounts by systems administrators.

4.2. A user's account shall be promptly deactivated upon notification of separation of their relationship with UAB.

4.3. Users shall be given the minimum necessary access privileges to perform their duties. If a user's position, role, and/or responsibility changes the user's account privileges shall be reevaluated and modified (if necessary) by their manager to match the minimum necessary for the current position's responsibilities.

4.4. All systems and applications are required to use at least a user identifier (typically a user ID) and an authentication mechanism, i.e. password, token, biometrics, smart card.

4.5. Minimally, each department or clinical area shall have a designated written authorization process for granting access to UAB information resources. This process shall include a procedure for validating a user's identity and notifying the user's supervisor. Such a process shall include how the person granting access is identified. This person shall be a specifically identified individual who grants others access to resources.

4.5.1. All account requests shall at least include the last four digits of a user's social security number or an equivalent, such as employee number or logon ID. Account requests from employees and/or students shall include a complete social security number or an equivalent. All others must provide a unique 6-digit number such as an employee number or valid driver’s license number.

4.5.2. All users requesting an account shall be required to provide their name as it appears on their personnel records (if applicable), department, title, phone number, and their supervisor's name and email address.

4.6. A process to document initial account requests shall be in place for each system.

4.7. Personnel shall notify the appropriate information systems help desk of any account violations.

4.8. Newly implemented systems and current systems with the capability shall comply with the following policies. Existing systems without the capability shall use their maximum available security features and work to comply with the following policies as systems are upgraded.

4.8.1. All systems shall enforce strong password selection.

4.8.2. All systems shall have audit trail capabilities that provide documented evidence of user access.

4.8.3. Passwords shall not be viewable to users or system administrators.

4.8.4. Passwords shall be stored encrypted in the system.

4.8.5. Default passwords and PINs shall be changed. 

4.8.6. Guest accounts shall be disabled.

4.8.7. The system shall prompt a user to choose a new password upon initial access to the system or after his account has been reset.

4.9. Users' Responsibilities:

4.9.1. Users shall protect account information and prevent use of their IDs, passwords, PINs, and tokens by others.

4.9.2. Users shall access information appropriately - with individually- assigned accounts and in compliance with UAB-standards and policies.

4.9.3. Users shall not re-use expired passwords for at least 4 password-expiration cycles.

4.9.4. Users shall choose a new password upon initial access to the system and each time the password is reset by the administrator - to the extent that password change capabilities are supported by the system.

4.9.5. Users shall choose strong passwords - to the extent that strong password capabilities are supported by the system.

4.9.6. Users have a responsibility to close or log off applications or lock the workstation immediately after use an shall not leave workstation open and unattended.

4.9.7. Users shall provide account administrators with their manager's contact information (name, e-mail and phone number) when directly requesting access to information resources.

4.9.8. Vendors and contractors shall not be granted access without approval of the UAB sponsoring department. Access requests shall be submitted by the vendor's/contractor's assigned UAB management contact.

4.9.9. Users shall contact the appropriate system administrator for password resets and user account issues.

4.9.10 Users shall not verbally reveal their password to the helpdesk or any other person asking for the password. If the helpdesk needs the password, it will be reset.

4.10. Account Administrators' Responsibilities:

4.10.1. Account administrators shall notify the user's manager when the user submits a direct request for access.

4.10.2. Account administrators shall add, modify, and disable user accounts upon notification from the appropriate manager.

4.10.3. Account administrators or appropriate personnel shall periodically analyze system logs to determine accounts that may have been compromised.

4.10.4. Account administrators shall not accept access requests from vendors or contractors. Access requests for vendors and contractors shall be submitted by UAB management with oversight for the vendors'/contractors' activities.

4.10.5. Account administrators shall ensure that systems are configured to comply with this policy.

4.11. Managers' Responsibilities:

4.11.1. Managers shall ensure and justify appropriate access for those under their supervision - including employees, vendors, contractors, and other third parties.

4.11.2. Managers shall provide account administrators with a projected separation date or contract termination date when requesting user accounts for temporary employees, vendors, contractors, and other third parties.

4.11.3. Managers shall ensure that access rights are the minimum necessary and commensurate with current job responsibilities for all individuals under their supervision.

4.11.4. Managers shall review, approve, and submit requests for the user accounts of those individuals under their supervision.

4.11.5. Managers shall ensure that individuals under their supervision are trained to access and use UAB information resources.

4.11.6. Managers shall enforce standards, policies, and procedures associated with the use of UAB information resources.

4.11.7. Managers shall notify relevant account administrators upon an employee's termination or transfer and upon a vendor's, a contractor's, or another third-party's completion of service.

4.12. UAB employees who do not follow the above policies may be subject to disciplinary action up to and including dismissal.

4.13. Vendors or contractors who do not follow the above policies may be subject to breach of contract penalties.

5. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

5.1. Your departmental HIPAA Entity Security Coordinator (found on the HIPAA website at http://www.hipaa.uab.edu/index.php/committees/24-committees/56-entity-security-coordinators)

5.2. The HSIS Help Desk at 205-934-8888 or helpdesk@uabmc.edu 

5.3. The UAB IT AskIT Help Desk at 205-996-5555 or askit@uab.edu

5.4. UAB/UABHS HIPAA Security Office at InfoSec@uabmc.edu or (205) 975-1440

5.5. UAB IT Information Security line at 205-975-0842

6. ENFORCEMENT: Any user found to have violated this policy may be subject to disciplinary action, up to and including termination of employment or assignment, depending on the severity of the infraction. In addition, UAB may report the matter to civil and criminal authorities as may be required by law.

7. REFERENCES: None

8. SCOPE: This policy applies to all UAB HIPAA covered entities and their systems that maintain PHI.

9. ATTACHMENTS: None

To view other HIPAA Core Policies and for more information, please visit http://www.hipaa.uab.edu/index.php/policies.