Date Revised: January 25, 2008; January 23, 2009; March 17, 2010; January 7, 2011; February 27, 2012; July 30, 2013 Date of Last Cyclic Review:

Transcription

1 Policy Level: Policy Title: Policy Number: UW Medicine Compliance PP-20a - Access Management 20a Date Established: September 28, 2007 Date Revised: January 25, 2008; January 23, 2009; March 17, 2010; January 7, 2011; February 27, 2012; July 30, 2013 Date of Last Cyclic Review: Purpose To meet minimum necessary requirements, UW Medicine uses role-based access to enterprise-wide information systems that contain Protected Health Information (PHI). This document outlines: Making decisions for appropriate user access (including clearly defined PHI-sharing relationships with partners, external healthcare professionals, referrals, contractors, regulators, and insurers) The roles and responsibilities of groups and individuals within UW Medicine; Maintenance of documentation of user roles and privileges Definitions Access: The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. Allscripts: Generic term used for the suite of applications used by Northwest Hospital employed Physicians for their ambulatory electronic health records from the vendor Allscripts, LLC. Amalga: UW Medicine's name for our clinical data repository using Microsoft s Amalga Unified Intelligence System, a data aggregation platform which integrates data from many unrelated medical systems designed to retrieve and display patient information from many sources in one enterprise platform in order to provide an immediate, updated composite portrait of the patient s healthcare information Amalga Collection: A group of data, applications, databases or reports defined to allow a single rule for access privileges to all elements in the group. Amalga Collection Operator: The Collection Owner may designate a Collection Operator as the individual who will add or subtract users from the Collection s authorization list. 1

2 Amalga Collection Owner: Individual authorized by CDROC to be responsible for of the management of a collection of data, applications, databases or reports based on data from Amalga. Amalga System Level User - Affiliated Developer: Expert database developers who have been authorized by an Amalga System Owner to create reports and applications in the Amalga system or in one of the report distribution mechanisms. Each Affiliated Developer will be trained in use of the Amalga system and in compliance issues Consolidated Decision Support: A coordinated effort between UWMC, HMC & UW Medicine IT Services to create demographic and distribution databases using a common approach which consolidates various source data. (System examples include: Horizon Business Insight (HBI), Horizon Performance Manager (HPM), Cost Manager) Data Repositories (Clinical and Business): A Clinical or Business Data Repository is a near real-time or retrospective suite of databases that consolidates data from a variety of clinical and financial sources to present a unified view of patient information. (Clinical Examples: Amalga, MAP; Business Example HPM, Decision Support) Epic: Generic term used for the suite of applications used by UW Medicine from the vendor Epic (Examples: ASAP, Cadence, EpicCare, EpicWeb, Kaleidoscope Ophthalmology, Prelude, Resolute, and Stork OB) MAP: MasterMIND Access Program was developed at UW Medicine to query the data stored in the MIND database. MINDscape: Web-based application developed at UW Medicine to view of patient information. ORCA: Online Record of Clinical Activity (ORCA) is a UW Medicine EMR that uses Powerchart by the vendor Cerner. PulseCheck: Northwest Hospital Emergency Department information system from vendor PICIS/Ingenix. Soarian: Generic term used for the suite of applications used by Northwest Hospital from the vendor Siemens (includes Clinical Access, Common Clinicals, Charting, and Medication Reconciliation; also includes Soarian E-HIM, Physician Module and Medication Administration Check). System Operator: System operators are formally appointed by and report to system owners. Where required for information systems involving national security information, a system operator shall be an authorized person. The responsibilities of the system operator includes: o Making and being accountable for operational decisions about the use and management of an information system; and o Responsibilities as delegated by system owners. System Owner: System owners are formally appointed by and report to the executive heads of major University organizations or their designee(s). 2

3 The responsibilities of the system owners include: o Manage the confidentiality, integrity, and availability of the information systems for which they are responsible. This shall include developing and implementing a process for managing access to information systems for which they are responsible, and other processes or controls in compliance with University policies on information security and privacy; o Advise executive heads of major University organizations on the financial resources necessary to develop and implement information systems and controls, including those specifically required by grants or contracts; o Maintain critical information system documentation; and o Formally appoint and delegate responsibility to system operators. Workforce: Workforce means faculty, employees, volunteers, trainees, students, and other persons whose conduct, in the performance of work for UW Medicine, is under the direct control of UW Medicine, whether or not they are paid by UW Medicine. Policy I. Roles & Responsibilities for Access to Enterprise Clinical Information Systems A. UW Medicine Patient Privacy Advisory Committee (PPAC) Approves Agreements for Electronic Access to PHI for outside organizations. B. UW Medicine IT Services Security Program Develops and implements policies and guidance related to identification, authentication, and administration of UW Medicine systems. C. UW Technology Establishes and maintains the UW NetID. D. IT Services User Access Administration (UAA) 1. Maintains the user records in the Provider User Maintenance Authority (PUMA). The PUMA database provides the information to most enterprisewide clinical systems for the provisioning of access. 2. Maintains the clinician record in UW Technology Person Registration. 3. Maintains the process ( that Managers or their delegates use to create, modify, or deactivate user privileges. E. IT Services Epic Systems Group 3

4 Maintains the user records in the Epic database. F. IT Services Provider Maintenance Group (PMG) 1. Responsible for maintaining, administering and providing data quality and integrity of healthcare professionals information which is used to determine access to the clinical, financial and administrative systems of UW Medicine. 2. Maintains healthcare professionals signatures for ORCA and MINDscape. G. System Owners System Owners are responsible for identification, authentication, and access administration for their system and for maintaining records of the associated privileges for each role defined within their system. H. Managers 1. Request activations, modifications, and deactivations for approved accounts for workforce members under their supervision. Submit the request for job-related access to IT Services User Access Administration (UAA) or appropriate departmental system access administrators. Promptly report changes in end-user duties or employment status to IT Services User Access Administration ( and any departmental system access administrators to keep system privileges up-to-date and restricted to current job requirements. Examples of reportable changes include promotion, extended leave and separation. 2. Managers are required to maintain documentation on the systems to which workforce members has access. This documentation must be maintained in their personnel/academic file. The UW Medicine Document IT Systems Access for a Member of the Workforce form can be used to document this access. (See Attachment PP-20a Attachment C Document IT Systems Access for a Member of the Workforce) II. Authorizing Users for UW Medicine Clinical Information Systems (Examples: Allscripts, Epic, MINDscape, ORCA, PulseCheck, and Sorian) A. UW Medicine Workforce Access UW Medicine workforce members are provided access to ephi for the purposes of Treatment, Payment, and Healthcare Operations or IRB approved research based on location, department, and job function as 4

5 authorized by their Manager. Requests for access may be made by an authorized delegate, but the authorization responsibility remains with the Manager. Healthcare Professionals (i.e. professionally licensed or certified individuals who provide patient care such as MDs, DOs, DPMs, optometrists, ARNPs, CRNAs, PA-Cs) who are credentialed by UW Medicine Office of Medical Staff Appointments (OMSA), Northwest Hospital Medical Staff Office, or Valley Medical Center Medical Staff Office must be appointed to the medical staff before electronic access to clinical systems is granted. The access provided is based on job title, location, department and medical staff appointment criteria. Accreditation Council of Graduate Medical Education (ACGME) Residents and Fellows must be entered into UW Medicine's Graduate Medical Education's database (currently the Graduate Medical Education Tracking and Billing System - GMETABS) before electronic access to clinical systems is granted. The access provided is based on job title, location, department and medical appointment criteria. B. Organized Healthcare Arrangement (OHCA) Privacy Policy PP-01 Designation of Healthcare Components at the University of Washington, describes the organizations that have entered into an OHCA with UW Medicine. This arrangement allows the workforce members of those organizations to have access to the UW Medicine enterprise clinical information systems for the purposes of joint treatment, payment, and healthcare operations or IRB approved research. These organizations designate individuals that manage user access accounts for their respective workforce. C. Business Associates Contracts for services that require third parties to use and disclose PHI on behalf of UW Medicine must include Business Associate Agreement language (See UW Medicine Privacy Policy: PP-12 Use & Disclosure of Protected Health Information by Business Associates). When a contract requires that individuals from third parties need electronic access to enterprise clinical information systems these individuals are required to follow the terms of the Business Associate Agreement and sign the Business Associate Privacy, Confidentiality, and Information Security Agreement. (Please see PP20A- Attachment E Non-UW Medicine Workforce Privacy, Confidentiality, and Information Security Agreement). The UW Medicine Administrator/Director/Manager who holds the contract and oversees the work is responsible for documentation maintenance and access authorization. 5

6 D. Contractual Agreements for Access to Electronic PHI Under certain criteria, the Patient Privacy Advisory Committee (PPAC) may approve other healthcare organizations to have access to enterprise clinical information systems. Users privileges are granted according to the contractual agreement. (Please see PP20A-Attachment B Privacy, Confidentiality and Information Security Agreement - Pursuant to an Agreement for Electronic Access to PHI). E. Referring Healthcare Professionals UW Medicine may provide access through U-Link to enterprise clinical information systems to healthcare professionals for purposes of treatment. Each community healthcare professional is required to sign an agreement with the Physician Liaison Office. (See UW Medicine Privacy Policy: PP-20a Attachment D UW Medicine U-Link Program Account Enrollment and Agreement Form) F. External Healthcare Professionals for Continuity of Care UW Medicine may provide access to the enterprise clinical information systems through U-Link or Just-In-Time to healthcare professionals for purposes of continuity of care. These healthcare professionals must sign an agreement with the Physician Liaison Office. (See UW Medicine Privacy Policy: PP-20a Attachment D UW Medicine U-Link Program Account Enrollment and Agreement Form) G. Other Non-UW Medicine Workforce All other non-uw Medicine workforce member (i.e. auditors, insurers, regulators) access to enterprise clinical information systems must be authorized by a Director or Administrator. The non-uw Medicine workforce member must review & sign the Non-UW Medicine workforce Privacy, Confidentiality and Information Security Agreement (Please see PP20A- Attachment E: Non-UW Medicine Workforce Privacy, Confidentiality, and Information Security Agreement). This agreement must be maintained on file in the department. III. Authorizing Users for UW Medicine Clinical or Business Data Repositories (Examples: Amalga, Consolidated Decision Support, and MAP). Access to Clinical or Business Data Repositories is the responsibility of the System Owner. If the data from the Clinical or Business Data Repository is to be used for research, then the requirements of the Human Subjects Division must be met. o System Level Access (Example: Amalga Affiliate developer): Documented process with System Owner approval required. 6

7 o Collection: (Examples: uzcce the Center for Clinical Excellence; uzcbr Cancer Biospecimen Repository) Documented process authorized by the Clinical Data Repository Oversight Committee. IV. Non-Enterprise UW Medicine Systems. Systems not included in this document are provisioned by individual departments. Please contact the individual department to request user accounts. References 45 CFR Definitions. 45 CFR (3)(i) Standard: Workforce security. 45 CFR (3)(ii) Implementation specifications. 45 CFR (4)(i) Standard: Information access management. 45 CFR (a)(1) Permitted uses and disclosures. 45 CFR (b) Uses & Disclosure of Protected Health Information Minimum Necessary. 45 CFR (d) Other Requirements Relating To Uses & Disclosures Of Protected Health Information Minimum Necessary. Cross References PP-00 Glossary of Terms: Approvals UW Privacy Official Date Johnese M. Spisso, Chief Health System Officer, UW Medicine & Vice President for Medical Affairs, UW Related Procedures 7

8 UW Medicine Account UW Medicine Account Activation, Deactivation, Change Request Forms: Forms/Instructions PP-04 Attachment A: Privacy, Confidentiality, and Information Security Agreement: PP-20a Attachment A: Agreement for Electronic Access to Protected Health Information PP-20a Attachment B: Privacy, Confidentiality and Information Security Agreement Pursuant to an Agreement for Electronic Access to PHI PP-20a Attachment C: Workforce Member Documentation of IT System Access PP-20a Attachment D: UW Medicine U-Link Program Account Enrollment and Agreement PP-20a Attachment E: Non-UW Medicine Workforce Privacy, Confidentiality and Information Security Agreement Additional Contacts UW Medicine Compliance