1. PURPOSE: To establish the minimum criteria for granting approved access to information systems involving protected health information (PHI).

2. APPLICABILITY:   This policy applies to all UAB Covered Entities (School of Dentistry, School of Health Professions, School of Medicine, School of Nursing, School of Optometry, Joint Health Sciences Departments, School of Education Community Clinic, UAB Health Plans, and other UAB entities that may be added from time-to-time) and to the following UAB Medicine Enterprise Covered Entities: UAB Hospital, The Kirklin Clinic of UAB Hospital, The Kirklin Clinic of UAB Hospital at Acton Road, The Whitaker Clinic of UAB Hospital, UAB Callahan Eye Hospital and Callahan Eye Hospital Clinics, UAB Health Centers, Medical West Hospital Authority, an Affiliate of UAB Medicine Enterprise, Triton Health Systems, LLC, VIVA Health, Inc., the University of Alabama Health Services Foundation, P.C., Ophthalmology Services Foundation, P.C., Valley Foundation, and other UAB Medicine Enterprise managed entities that may be added from time-to-time. For purposes of this policy, UAB and UAB Medicine Enterprise Covered Entities shall be collectively referred to as “UAB.”

3. ASSOCIATED INFORMATION:

3.1. Definitions:

3.1.2. Authentication mechanism: Items including, but not limited to, passwords, tokens, biometrics, and smart cards used for confirming a user's identity.

3.1.3. Business Associate: A person or entity (other than an employee of a UAB Covered Entity) who performs a function or activity involving the use or disclosure of protected health information, including, but not limited to, claims processing or administration, data analysis, processing or  administration, utilization review, quality assurance, billing, benefit  management, practice management, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, for or on behalf of a UAB Covered Entity. A Business Associate of one UAB Covered Entity does not become a Business Associate of any other UAB Covered Entity simply by virtue of the UAB Affiliation.

3.1.4. Direct Need-to-Know: Those persons or classes of persons, as appropriate who need access to specific protected health information to carry out their work-related duties.

3.1.5. Electronic Communication Network: This includes things such as the Internet, wireless, or wired network.

3.1.6. Electronic Protected Health Information (ePHI):  Protected health information in electronic form.

3.1.7. HIPAA: Health Insurance Portability and Accountability Act.

3.1.8. Minimum Necessary:  To make reasonable efforts to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose.

3.1.9. Portable Computing Devices (PCDs): Include, but are not limited to, hand held devices (e.g. laptop computers, tablet PCs, notebook computers), Smart phones, portable workstations on wheels and carts, biomedical devices that collect patient information or provide life support and medical treatment, and pagers that store data. Portable computing devices are battery operated (though they may support direct connection to utility power), freestanding devices used for the purposes of data storage, retrieval, analysis, and exchange. Such devices may interact with other networked systems, the Internet, desktop personal computers via some form of interconnection and/or synchronization process.

3.1.10. Portable Storage Devices (PSDs): Include, but are not limited to, external hard disk drives, DVDs, CDs, flash drives, USB drives, tapes, and other portable storage devices capable of acting as a transport agent for digital information.

3.1.11. Protected Health Information (PHI): Health information, including demographic information collected from an individual and created or received by a health provider, health plan, employer or health care clearinghouse that relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies an individual or there is a reasonable basis to believe the information can be used to identify the individual and that is transmitted or maintained by electronic media or any other form or medium. PHI does not include individually identifiable health information in education records covered and protected by the Family Educational Right and Privacy Act (FERPA) and employment records held by a covered entity in its role as an employer.

3.1.12. Remote Access: Users outside of a covered entity's network accessing data on the entity's network.

3.1.13. Sensitive Information: Any information that may only be accessed by authorized personnel. It includes protected health information, financial information, personnel data, trade secrets and any information that is deemed confidential or that would negatively affect UAB if inappropriately handled.

3.1.14. Strong Passwords: Current industry best practices identify this as a minimum of eight alpha-numeric characters with at least one upper-case and one special character.

3.1.15. User: Any individual who accesses UAB electronic protected health information assets.

3.1.16. User Account: Information used to gain access to UAB ePHI resources. This includes, but is not limited to, user IDs, passwords, personal identification numbers (PIN), tokens, certificates, biometrics, and smart cards.

3.1.17. User ID: An individual ID used to identify a unique individual when logging into a UAB information resource such as a computer, network, service, or application.

4. POLICY:

4.1. Requests for access to UAB's ePHI shall be granted only to individuals with a direct need-to-know.
 

4.2. Approval will be based upon minimum necessary privileges and the direct need -to-know for a specific job function.
 

4.3. In situations where work is performed by any non-UAB employee on a system containing ePHI, it is the responsibility of the appropriate manager to seek pre-approval for access and to monitor the individual's activities on the system. Access to ePHI for Non-UAB employees will only be granted if those employees are assigned to a 3rd party with a signed Business Associate Agreement.  

4.4. Transmission of PHI or other sensitive information over an electronic communication network shall be encrypted.
 

4.5. Network personnel shall not open ports through any firewall without pre-approval from appropriate management and information security office. Approved requests shall be documented.
 

4.6. Use of portable devices to store ePHI must be pre-approved by the appropriate information security office and must be properly secured with proper physical and software controls in accord with the HIPAA Security Core Policy "Use of Portable Devices."
 

4.7. All requests for phone lines shall be approved by the UAB Communications Department or HSF Telecommunications.
 

4.8. Any external access to a UAB network containing ePHI or internal access to outside networks that bypass the UAB and UAB Medicine Enterprise firewalls shall be approved by UAB Chief Information Security Officer (CISO) or UAB Medicine Enterprise CISO.

4.9. Access for non-UAB personnel must be uniquely identifiable and submitted in writing to the appropriate information security office prior to receiving access. The written request for access shall describe the reason and duration of the need (to include an anticipated termination date). This written request must describe the nature of access, reference the Business Associate Agreement (BAA), if needed, contain sufficient information to identify potential risk, and meet the minimum necessary requirement. If granted, the access must be documented, noting the date when granted.
 

4.10. Requests for access to ePHI systems utilized for Institutional Review Board approved research shall be reviewed against the above established criteria on a case-by-case basis.

4.11. All networks containing ePHI shall utilize measures to prevent unauthorized devices from connecting to the network.
 

4.12. User's responsibilities:

4.12.1. Shall follow UAB and their department's system security procedures, i.e., security patches, anti-malware protection, antispam protection. Exceptions shall be approved by the appropriate information security office.
 

4.12.2. Shall not implement systems that function as a bridge between a UAB/UAB Medicine Enterprise network containing ePHI/sensitive information and an external network, i.e., split tunneling.
 

4.12.3. Shall log off applications containing ePHI/sensitive information when not in use. Also, shall lock the computer screen or log off of windows when not in use.
 

4.12.4. Shall not share their access codes or passwords with other individuals.
 

4.12.5. Shall not perform unauthorized scanning on a UAB network without approval from UAB CISO or UAB Medicine Enterprise CISO.  

4.12.6. Shall not attempt unauthorized or inappropriate access to any UAB system including those containing ePHI or other sensitive information.


4.12.7. Shall apply the same security policies and procedures as is required in the workplace when accessing UAB resources containing ePHI regardless of the location (i.e., applying necessary access lists, software or network firewalls, access controls, etc., when at home or other off-site location). 

4.13. System Administrator responsibilities:

4.13.1. Shall report unapproved portable devices to the appropriate manager.
 

4.13.2. Shall implement and maintain the latest security patches on the systems under their management.
 

4.13.3. Shall ensure deployment of required endpoint agents in accordance with appropriate network use. 
 

4.13.4. Shall apply automatic logoff/lockout features for inactive user sessions (i.e., 15 minutes logoff in high volume/traffic areas as per industry best practices or local policy).

4.13.5. Shall use separate, unique user accounts to ensure individual accountability.
 

4.13.6. Shall establish user accounts and accounts with higher privilege, i.e., system administrator, supervisor, root, superuser, in a manner that ensures individual accountability.
 

4.13.7. Shall not establish group user accounts.
 

4.13.8. Shall grant minimum necessary and direct need-to-know access rights as applicable to the person's documented job function. The appropriate information security office shall approve additional access rights.
 

4.13.9. Shall establish emergency access procedures for the systems they manage.
 

4.13.10. Shall keep and monitor logs in order to detect and document attempts to compromise accounts, identify password brute force attacks, and other types of abuse.

4.14. Manager responsibilities:

4.14.1. Shall ensure users follow policies for use of portable devices in accord with the HIPAA Security Core Policy- Use of Portable Devices.
 

4.14.2. Shall routinely monitor to ensure users are aware of and in compliance with the security policies including those addressing portable devices and home workstations.
 

4.14.3. Shall establish procedures in written or electronic form to comply with this policy and if action, activity, or assessment is required by this policy to be documented, maintain a written or electronic record of the action, activity, or assessment.
 

4.14.4. Shall ensure business associates are aware of and in compliance with all of the HIPAA and HITECH security requirements.

4.15. Business Associates responsibilities:

4.15.1. All business associates shall be required to sign an approved business associate agreement.
 

4.15.2. Business associates must comply with UAB and UAB Medicine Enterprise policies and standards applicable to the nature of their work with UAB.
 

4.16. Remote Access:

4.16.1. Requests for remote access to ePHI must be reviewed, documented, approved and conform to all UAB and UAB Medicine Enterprise remote access policies. Remote access accounts should be periodically reviewed. Examples of minimum-security controls include unique user ID, strong password, two-factor authentication, session timeout, and secure connection.

4.16.2. Remote users when accessing ePHI systems shall use a UAB approved Virtual Private Network (VPN) solution.
 

4.17. Violations

4.17.1. Violations of these policies may result in disciplinary action, up to and including dismissal, and civil and criminal penalties.

4.17.2. Business associates must comply with UAB policies applicable to the nature of their work with UAB. Business associates who do not follow applicable requirements could be subject to breach of contract penalties, possible legal prosecution, civil and criminal penalties, and other legal remedies/ramifications as available to UAB.
 

 5. CONTACTS: For questions regarding the requirements, implementation, and enforcement of this policy, contact one of the following:

5.1. Your departmental HIPAA Entity Security Coordinator.

5.2. The HSIS Help Desk at 205-934-8888 or helpdesk@uabmc.edu
 

5.4. UAB/UABHS HIPAA Security Office at InfoSec@uab.edu or 205-975-1440.

5.5 UAB IT Information Security Line at 205-975-0842.

6. REFERENCES: None

7. SCOPE: This policy applies to all UAB HIPAA covered entities and their systems that maintain ePHI and applicable business associates. 

8. ATTACHMENTS: None

To view other HIPAA Core Policies and for more information, please visit https://www.hipaa.uab.edu/index.html