UAMS ADMINISTRATIVE GUIDE
UAMS ADMINISTRATIVE GUIDE
NUMBER: 7.3.03
DATE: 10/31/02
REVISION: 9/21/2007
| SECTION: | INFORMATION TECHNOLOGY |
| AREA: | NETWORK SECURITY |
| SUBJECT: | COMPUTER DEVICE CUSTODIAL PRACTICES TO PROTECT CONFIDENTIAL INFORMATION |
UAMS Workforce
Protected Health Information (PHI) means information that is part of an individual’s health information that identifies the individual or there is a reasonable basis to believe the information could be used to identify the individual, including demographic information, and that (i) relates to the past, present or future physical or mental health or condition of the individual; (ii) relates to the provision of health care services to the individual; or (iii) relates to the past, present, or future payment for the provision of health care services to an individual. This includes PHI which is recorded or transmitted in any form or medium (verbally, or in writing, or electronically). PHI excludes health information maintained in educational records covered by the federal Family Educational Rights Privacy Act and health information about UAMS employees maintained by UAMS in its role as an employer.
1. Placement of Workstations (including printers and data entry/display terminals): The placement of data entry/display terminals and printers on which confidential information or PHI may be accessed or displayed is evaluated as part of the IT Project Plan under which the devices will be implemented. Placement is evaluated a second time, upon installation by IT Workstation Support. After installation each UAMS department is responsible for continued monitoring of placement changes.
2. Automatic Log-off Intervals: All software systems through which PHI is accessible are required to have an automatic logoff. Intervals are determined by UAMS IT Security in conjunction with each department and reviewed annually for compliance and revisions.
3. Activating and Deactivating Passwords:
A. UAMS staff and students and all other persons requesting access to non-public resources available on the UAMS network domain must review and sign a UAMS Confidentiality Agreement prior to being granted access. UAMS Colleges may include the Confidentiality Agreements for students as a component of a set of policies provided to students for which they must acknowledge by signature agreement.
B. All information systems through which PHI is accessible must employ some form of access security using passwords, biometrics, tokens, or other techniques.
C. UAMS departments are responsible for terminating within SAP all persons who leave the employ of UAMS. UAMS IT Security will generate an exiting employee report weekly and deactivate all accounts having access to systems through which PHI is accessible. UAMS domain accounts will be disabled automatically in a daily process.
D. Departments are responsible for updating employee status (job change or termination) in SAP on a timely basis.
E. Department supervisors are responsible for reviewing transferring employees computer access levels and notifying the Department’s IT Administrator or the UAMS IT Security Office (either by email, phone call or by completing the IT System Access Form) of any computer system access levels that must be maintained, assigned or deactivated.
4. Workstation Access: Access to workstations through which confidential information and PHI is accessible is granted to authorized individuals on a need-to-know basis. Persons authorized to use confidential information and PHI in their official UAMS duties are required to safeguard that information and may use it only for, and to the extent required by, official UAMS business purposes. Authorized PHI users must not in any way further disclose or provide that information to others except in accordance with UAMS policies and procedures.
5. User Education:
A. UAMS employees and students are educated on information security at time of orientation.
B. Non-employees and vendors are required to be sponsored by a UAMS department, read a statement on UAMS IT Security and sign the UAMS Confidentiality Agreement before being granted access to any UAMS computer system. Non-employees and vendors should be entered into SAP as a “non-employee” by the sponsoring department for automatic domain account creation.
C. All persons who will be granted access to information systems through which PHI is accessible must attend training, as required, for use of those systems.
6. Physical Security: PCs, mobile devices, or any other device containing confidential information or PHI should be secure. Refer to UAMS Safeguarding of Protected Health Information Policy, 3.1.38. All PHI and other confidential information generated at UAMS is considered to be the property of UAMS and is not to be removed without prior approval.
7. Termination: Upon employee termination from UAMS, users of any personally owned computers and other mobile devices are responsible for permanently removing all UAMS confidential information and UAMS owned software from the device(s). The employee should coordinate with their supervisor the removal of any PHI or UAMS owned computers or mobile devices.
SIGNATURE: ________________________________ DATE: _________________________