Information Security Policy
Part 1 - New Users
1. New user access to Protected Health Information (PHI) and other confidential information under the jurisdiction of Heart Healthy will be assigned based on the accessing individual’s roles. (1)
Example of roles:
• Nurse • Classified staff • Auditor • Contractor
• Casual Employee • Faculty • Temporary Staff • Special Administrator
• Physician • Comptroller • Clerical • HR Staff

2. All user accounts whether or not they have access to electronic PHI and other confidential data must be uniquely identified in order to track user identity. (2)
3. Managers must sign request for access for new users and submit them to System Owners who will specifically approve access of new employees. (3)
4. Systems owners are also responsible for reviewing access lists every six months to ensure access privileges are appropriate. Timeframe for access list review can be customize for each system based on documented risk management decisions. (4)
5. A user's access authorization shall be appropriately modified or removed when the user's employment or job responsibilities within the institution change. (5)
Part 2- Justification/References
1 – Based on HIPAA 164.312 (a) (1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
2 - Based on HIPAA 164.312 (a)(2)(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity
3 HIPAA 164.308 (a)(3)(ii)(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health