Access Control Policy

Policy Statement


It is County's policy to control access to sensitive data including Protected Health Information (PHI).

Purpose


To establish guidelines for the development of procedures to control access to sensitive data and Protected Health Information.

Access Control Procedures


Physical and electronic access to sensitive data and Protected Health Information shall be controlled through procedures which establish rules for granting access, determining initial right of access and modifying the right to access. The level of control will depend on user need and the level of risk and exposure to loss or compromise.
  • Electronic access is controlled through authentication. Each user will be uniquely identified and passwords will be used to authenticate identity.
  • Passwords shall not be shared.
  • Passwords shall be at least six characters long and shall be changed at least once every ninety (90) days
  • Users are required to logoff or lock their PC anytime they leave their immediate work area. The current automatic logoff procedures for AS/400 access will remain in effect.
  • Users are responsible and accountable for access under their personal identifiers/User ID's.
  • Control configurations shall be developed for each file or database. Department Heads are responsible for providing the necessary information to the Information Systems department so they can provide the proper access and levels of security.
  • All files containing Protected Health Information (PHI) shall be stored on the servers/mainframes with the appropriate access and controls. PHI shall not be stored on public drive. If there is a need to share PHI between employees, the Information Systems department will set up the security on a new drive or folder.

Personnel Security


Access to specific data elements, files, functions, menus, commands and networks is based on the user's patient care responsibilities or job functions. Procedures shall be developed to:
  • Assure supervision of maintenance personnel.
  • Maintain a record of access authorizations.
  • Determine the proper access level to be granted to individuals working on, or near, health information.
  • Establish personnel clearance problems.
  • Establish and maintain personnel security policies and procedures.
  • Assure security awareness training for system users, including maintenance personnel.