(a) Scope and applicability.
- (1) This policy applies to the Office of Health Information Technology, all participating entities, and their BAs and contractors.
- (2) This policy is to be read and applied in conjunction with the office security policy.
(b) Participating entity responsibilities. Each participating entity is responsible to:
(1)
- (A) Designate its responsible contact person who shall be initially responsible on behalf of the participating entity for compliance with these policies and to receive notice on behalf of the participating entity.
- (B) For participating entities that have their own system administrator, this shall ordinarily be the State Health Alliance for Records Exchange administrator;
- (2) Designate its own authorized users from among its workforce and designate BAs and contractors authorized to act as authorized users on its behalf;
- (3) Train and supervise its authorized users and require any BA or contractor to train and supervise its authorized users consistent with the participating entity’s and the office’s privacy policies and with the terms of the participating entity’s privacy policies and the BA agreement as applicable.
(4)
- (A) In the case of participating entities with a system administrator, immediately suspend, limit, or revoke access authority upon a change in job responsibilities or employment status of an authorized user.
- (B) Revocation shall occur prior to, contemporaneously with, or immediately following such a change so as to prohibit continued access authority for individuals who no longer need it on behalf of the participating entity.
- (C) For participating entities without their own system administrator, immediately notify the office security officer of the change so that the office may revoke access authority.
- (D) Notification shall occur prior to, contemporaneously with, or immediately following such a change so as to prohibit continued access authority for individuals who no longer need it on behalf of the participating entity; and
- (5) Hold their authorized users accountable for compliance with the office and the participating entity’s policies and, as applicable, the terms of any BA agreement.
(c) Office responsibilities. The office or the office’s designee is responsible to:
- (1) Grant access authority to individuals designated by a participating entity, subject to reserved authority to suspend, limit, or revoke such access authority as described later;
- (2) Train and supervise its own authorized users on these policies and the standard terms required by its BA agreement with participating entities;
- (3) Suspend, limit, or revoke access authority for its own authorized users or any authorized user who is a member of the workforce of any subcontractor of the office as required by these policies or the terms of its BA agreement in the event of breach or noncompliance;
- (4) Immediately revoke access authority upon a change in job responsibilities or employment status of its own authorized users or the authorized user of its contractor; and
- (5) Suspend, limit, or revoke the access authority of an authorized user on its own initiative upon a determination that the authorized user has not complied with the participating entity’s privacy policies, office policies, or the terms of the user agreement, if the office determines that doing so is necessary for the privacy of individuals or the security of the State Health Alliance for Records Exchange.
- (d) Office security procedures. The details of how to grant and revoke access authority are contained in the office security framework.
- (e) Application to BAs and contractors. Participating entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their BA agreements.
Codification Notes: “BA” means business associate.