MUSC Policy MUSC-xx: Information Security - Workforce Security
Definitions:
- Refer to MUSC Policy MUSC-xx: Information Security, Appendix A.
Policy:
Entity IACOs are required to develop and disseminate procedures to ensure that only their entity's workforce members with a need to access protected information are granted such access.
The supervisors and managers of an Entity's workforce members are responsible for determining and authorizing each assigned workforce member's access to any information system that houses protected information. A workforce member may not authorize his own access to an information system that houses protected information.
The supervisors and managers of an Entity's workforce members are also responsible for updating or withdrawing their assigned workforce member's authorizations as needed to reflect changes in assigned role, or termination from the Entity's workforce. To protect against unauthorized physical access to locations where protected information may be accessible, the manager must also ensure that any terminated workforce member turn in all facility access control mechanisms such as keys and key cards, and that any combination locks and/or other access control codes are changed as necessary. Managers must also ensure the return of any assigned computer equipment.
The System Administrator of each MUSC information system that houses protected information is responsible for ensuring that no workforce member is granted access to protected information unless that access has been authorized by the workforce member's supervisor or manager and further, has not been revoked by the supervisor or manager due to a change in assigned role or workforce membership status.
Sanctions:
- Refer to MUSC Policy MUSC-xx: Information Security: Sanctions.
See Also:
- MUSC Policy MUSC-xx: Information Security
References:
- HIPAA Security 164.308(a)(3)(i) Standard: Workforce security
- HIPAA Security 164.308(a)(3)(ii)(A) Authorization and/or supervision
- HIPAA Security 164.308(a)(3)(ii)(B) Workforce clearance procedures
- HIPAA Security 164.308(a)(3)(ii)(C) Termination procedures
- HIPAA Security 164.308(a)(4)(i) Standard: Information access management
- HIPAA Security 164.308(a)(4)(ii)(B) Access authorization
- HIPAA Security 164.308(a)(4)(ii)(C) Access establishment and authorization
- GLBA Safeguards Rule: 314.3(b)(3)
- GLBA Safeguards Rule: 314.4(b)(1)
$Id: workforce-security.html,v 1.4 2004/12/10 19:45:52 gadsden Exp $