I. Scope & Applicability
This policy applies to Stanford University HIPAA Components (SUHC) information systems that access, use, or maintain electronic protected health information (ePHI) and the users requiring access to and administering that data and those systems.
Information systems that are managed by, or receive technical support from, Stanford Health Care (SHC) or Stanford Children’s Health (SCH) are subject to the policies and procedures of those respective entities.
II. Policy Statement
SUHC will implement reasonable and appropriate measures to (i) limit access to ePHI only to those persons or automated processes that have been granted access rights based on their required functions and (ii) prevent those who have not been granted those rights from obtaining access to ePHI.
III. Principles
- Authorized Access. Only workforce members or business associates who have been authorized to have access to specified PHI, in accordance with the requirements set forth in the SUHC policy H-13: Minimum Necessary Use & Disclosure of PHI, may access and work with the associated ePHI.
- Workplace Security. Persons who are not authorized to access ePHI but who work in or visit locations where ePHI might be accessible, will be supervised, escorted, or otherwise procedurally denied access to such information. Workforce members will safeguard ePHI when persons who are not authorized to access the information are present, in accordance with the SUHC HIPAA Security: Computing Devices and Electronic Storage Media Policy
- Access Control Management Responsibilities. The System Owner of a SUHC information system is responsible for access control management. The System Owner or designee(s) will serve as:
- Access Granting Authority – the person(s) having managerial authority to approve requests for access rights to the information system.
- Access Control Administration – the person(s) or group (e.g., access control group) responsible for creating, modifying, and terminating a user’s ability to access the information system or ePHI based on direction from the Access Granting Authority.
For multi-user systems or databases, if the System Owner delegates access granting responsibility, the Appointment as Access Granting Authority Form or an equivalent means will be used to document the designation.
Where appropriate as determined by the System Owner, including in particular for High Risk systems (e.g., central authentication system, campus email system), Access Granting Authority and Access Control Administration will be separate functions (i.e., will not be the responsibility of the same persons).
- Access Rights Requirements. The Access Granting Authority will only grant access rights to those persons (e.g., workforce members, business associates, other legally authorized persons such as research sponsors) or automated processes (e.g., an interface between two information systems) that have a legitimate need based on their current responsibilities or function to access the information system and in accordance with the SUHC policy H-13: Minimum Necessary Use & Disclosure of PHI and other applicable University policies. The Access Granting Authority will verify that any necessary requirements have been met to establish that a user is authorized to access PHI prior to granting access rights.
- User Accounts Management. A user account will be established and maintained for each user of an information system to control authentication and access rights.
- Setup Requirements. User accounts may only be created and maintained for users whose access requests have been approved by the Access Granting Authority as outlined in Section III.D, above.
- Access Rights. Each user account will carry with it access rights to the data within the information system. Access rights determine what data sets (e.g., which patients, accounts, records) the user may view, copy, create, update, or delete within the information system.
- User Identification and Authentication. Access to an information system requires the use of a unique user identifier in conjunction with an associated password or other type of authenticator that has been approved by the Stanford University Chief Information Security Officer or delegate.
- The Access Control Administration is responsible for:
- Assigning to each authorized user of the SUHC information system a unique UserID. A user may be assigned the same UserID to access multiple information systems.
- Providing users a secure mechanism to create a password or other authenticator that will be used to verify that the user seeking access to the information system is the one claimed. Except where not supported by the system, Stanford two-step authentication must be used.
- Users are obligated to:
- Use only their assigned unique UserID and authenticator(s) to access the information system. Use of another user’s identifier and/or authentication data to access an information system is strictly prohibited.
- Change their authenticator (excepting biometric authenticators) on a regular basis. Change prompts will be provided by technical or procedural mechanisms. The System Owner will determine the frequency for authenticator change prompts based on risks associated with the information system.
- Change their authenticator whenever there is reason to suspect that the authenticator may have become known to another person or otherwise compromised.
- The Access Control Administration is responsible for:
- Security of Access Control Data. SUHC will protect user account and authentication data stored in information systems from unauthorized access or modification.
- Modification and Termination. SUHC managers or supervisors will promptly notify the appropriate Access Granting Authority whenever a user of an information system:
- Ceases to require access to the information system (e.g., terminates employment, transfers to another department); or
- Requires modified access rights to perform required functions (e.g., changes roles within a department).
The Access Granting Authority will instruct the Access Control Administration to modify the user account data as appropriate. In cases in which a user no longer requires access to an information system, the Access Control Administration will terminate access as soon as is practical.
- Access Control Logs. The Access Control Administration will maintain for a minimum of six years logs or other documentation of all access request approvals, user account creations, modifications, and deletions.
- Emergency Access. The Access Granting Authority and the Access Control Administration will create, document, and maintain procedures for accessing ePHI during an emergency. Procedures for accessing ePHI in an emergency will be documented in the Contingency Plan for the corresponding information system (refer to the SUHC HIPAA Security: Contingency Planning Policy).
- Inactivity Logoff/Lockout. When a computing device is unattended, automated security features and procedures will be employed to deter unauthorized access to ePHI, as follows:
- Automatic Logoff. If an information system has an automatic logoff capability, then the feature will be enabled to terminate an electronic session after a predetermined time of inactivity. It is the responsibility of the SUHC System Owner to determine the appropriate logoff time, based on a risk determination that considers (i) the nature of the application, (ii) user group information needs, and (iii) the physical location of the computing device used to access the application.
- Automatic Application/Device Lock. If the information system does not have an automatic logoff capability, then an electronic method will be employed to lock the application or device after a predetermined time of inactivity (e.g., password-enabled screensaver). It is the responsibility of the SUHC System Owner to determine the appropriate lock-out time, based on a risk determination that considers (i) the nature of the application, (ii) user group information needs, and (iii) the physical location of the computing device used to access the application.
If an application or computing device cannot meet either of the requirements defined in Sections III.G.1 or III.G.2, above (e.g., due to technological limitations or because such security measures would impede necessary operations), then an exception must be obtained from the Stanford University Chief Information Security Officer or delegate. If an exception is obtained, then users will procedurally logoff or lock the application or device or physically secure the device (e.g., in a locked room or cabinet) as necessary to deter unauthorized access whenever the device is left unattended.
IV. Procedures
Each department or program included in the SUHC will develop, document, implement, and train its workforce on the procedures necessary to comply with this policy. Departmental or program procedures will include identification by title of the person(s) responsible for complying with the required activities and provisions.
V. Exceptions
Any exceptions to this policy must be approved by the Stanford University Chief Information Security Officer or delegate.
VI. Related Documents
- SUHC HIPAA Security: Computing Devices and Electronic Storage Media Policy
- SUHC policy H-13: Minimum Necessary Use & Disclosure of PHI
- SUHC HIPAA Security: Contingency Planning Policy
- Appointment as Access Granting Authority Form
VII. Document Information
- Legal Authority/References
Health Insurance Portability and Accountability Act of 1996: Administrative Simplification Rules (as amended through 3/26/13), §164.308(a)(3); §164.308(a)(4); §164.312(a)(1) - Contact for Questions Related to this Policy
Stanford University Chief Information Security Officer
securityofficer@stanford.edu - Document Review History
Version Date Modified Comments 1.0 05/24/2005 Yes 1.1 12/07/2015 Yes Reviewed and updated by Aaron Arutunian
This document is intended for use by Stanford University. No representations or warrants are made for outside use. Not for outside reproduction or publication without permission.