Access Management

Policy No.                   8-27-2019 Revised Date: 

Introduction:

The following describes WSU Employee Wellness’s policy regarding information access management.

 WSU Employee Wellness shall assign and manage access to electronic protected health information (“PHI”) in a manner commensurate with the role of each workforce member consistent with the Security and Privacy Rules.  WSU Employee Wellness shall document the process for establishing, documenting, reviewing and modifying access to electronic PHI periodically as appropriate.

Definitions:

Access: means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.  However, this definition only applies to the security standards for the protection of electronic PHI.

Electronic protected health information: means individually identifiable health information that is transmitted by electronic media or maintained in electronic media.

Protected Health Information (“PHI”): means individually identifiable health information (“IIHI”) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media.  IIHI means information that is a subset of health information, including demographic information collected from an individual and is created or received by a health care provider, health plan, employer or health care clearinghouse.  Such information relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.  PHI excludes IIHI: (i) in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) in records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) in employment records held by WSU Employee Wellness in its role as employer; and (iv) regarding a person who has been deceased for more than 50 years.

Workforce: means employees, volunteers, trainees and other persons whose conduct, in the performance of work for Weber State University, is under the direct control of WSU Employee Wellness, whether or not they are paid by Weber State University.

Procedure:

 

A.  Access Authorization

WSU Employee Wellness is committed to taking reasonable and appropriate steps to ensure that only appropriate access to electronic PHI is granted.  WSU Employee Wellness will implement, as appropriate, a documented process for granting and authorizing appropriate access to electronic PHI to include: (1) procedure for permitting various levels of access to electronic PHI; (2) procedure for logging and tracking authorization of such access to electronic PHI; and (3) procedure for reviewing and revising, on a periodic basis, authorization of access to electronic PHI.

 

B. Access Establishment and Modification

WSU Employee Wellness shall identify the appropriate level of access to electronic PHI and areas where electronic PHI might be accessed for each workforce member upon retention of such workforce member.  Once the appropriate level of access and areas of potential workforce member access have been determined, WSU Employee Wellness will assign the workforce member a user identifier that is unique to such workforce member.  WSU Employee Wellness, with the assistance of its information technology provider, shall log and track modification of each workforce member’s access rights.  WSU Employee Wellness will securely maintain the tacking and logging information, which shall include: (1) date and time of modification; (2) identification of workforce members whose access is being modified; (3) description of modified access rights; and (4) reason for modification of access rights.