/policies/,/policies/administrative/,/policies/administrative/uw-health-administrative/,/policies/administrative/uw-health-administrative/administration/,

/policies/administrative/uw-health-administrative/administration/102.policy

201708237

page

100

UWHC,UWMF,

Policies,Administrative,UW Health Administrative,Administration

UW Health Access to Electronic Systems (1.02)

UW Health Access to Electronic Systems (1.02) - Policies, Administrative, UW Health Administrative, Administration

1.02

Page 1 of 6


Administrative (Non-Clinical) Policy
This administrative policy applies to the operations and staff of the University of Wisconsin Hospitals and
Clinics Authority (UWHCA) as integrated effective July 1, 2015, including the legacy operations and
staff of University of Wisconsin Hospital and Clinics (UWHC) and University of Wisconsin Medical
Foundation (UWMF).


Policy Title: UW Health Access to Electronic Systems
Policy Number: 1.02
Effective Date: August 23, 2017
Chapter: Administration
Version: Revision


I. PURPOSE

This policy applies to electronic information systems managed by UW Health Information Services (IS),
and:
A. Defines the process by which user access is requested, reviewed, authorized, and granted.
B. Ensures appropriate user access is provided and maintained in a secure and consistent fashion
throughout the organization.
C. Ensures that UW Health protected health information (PHI) and other confidential, sensitive, or
proprietary business information is secure from unauthorized access and abuse.

II. DEFINITIONS

Electronic information systems: All hardware and software used to manage and facilitate access to
information stored electronically at UW Health. This includes software provided by UW Health but
installed by users on hardware that is not provided by UW Health (e.g., personal computers or mobile
devices).

Protected Health Information (PHI): Any individually identifiable health information that is
transmitted or stored in any form, including oral, written, and electronic. PHI includes demographic,
health, and financial information.

UW Affiliated Covered Entity (ACE): Collectively, any entities affiliated with the UW that are defined
as a common entity for HIPAA compliance purposes. This includes, but is not limited to:
A. UW Hospital and Clinics
B. UW Medical Foundation
C. Clinical departments of the University of Wisconsin School of Medicine and Public Health
D. Clinics of the University of Wisconsin Waisman Center

Use of PHI: The sharing, application, examination, or analysis of PHI by employees and other staff
working within the UW ACE.



Page 2 of 6

Disclosure/Release of information: Divulging information to any person or organization outside of the
UW ACE. Disclosure and release are used interchangeably.

Role: A category or class of person or persons doing a type of job, defined by a set of similar or identical
responsibilities.

Role-Based Access: When a user is assigned to one or more roles, access to electronic information
systems is assigned to the user based on previously defined access privileges assigned to the new role.

Need-to-Know: Limiting access to information based on whether a user has a legitimate clinical or
business need for access.

User ID: The unique identifier assigned to an individual user for authentication and access to systems or
applications.

Confidential Password: A private, user-selected series of characters used in conjunction with a user ID
to verify the identity of a user attempting to gain access to a computer system. The integrity of an
authentication mechanism that relies upon user IDs and passwords depends on the user’s responsibility
for proper password management, including keeping passwords absolutely private.

III. POLICY ELEMENTS

A. Access by All Users
1. UW Health requires that all user access to electronic information systems and PHI must be
authorized by appropriate supervisory personnel. UW Health IS obtains and retains
authorizations for all systems. UW Health provides role-based access to UW Health
corporate applications, data, operating systems, networks, and electronic mail software in
accordance with need-to-know and minimum necessary philosophies as described in the
following policies:
a. Hospital Administrative Policy 6.30 - The Minimum Necessary Rule
b. Hospital Administrative Policy 4.13 - Using and Disclosing (or Releasing) Protected
Health Information
c. UWMF Policy 018 - Minimum Necessary Use and Disclosure Policy & Guidelines
2. Users granted access to electronic information systems containing PHI must be familiar
with relevant sections of the above administrative policies.
3. All UW Health employees are issued a personal user ID and confidential password that
grants access to selected parts of the UW Health computer system upon hire. Access may
include, but is not limited to:
a. E-mail
b. Standard Microsoft Office products
c. PeopleSoft ESS
d. Learning and Development System
e. Intranet access
f. Additional access to systems as predefined for their role.
4. UW Health department directors, managers, supervisors, and the equivalent leadership staff
at affiliated organizations, are responsible for requesting access to electronic information
systems for the users who report to them. A formal request for each individual user must be
submitted via the request process maintained by UW Health IS. Exceptions can be made
during orientation periods for large groups of incoming staff, such as GME trainees,
medical students, nursing staff, etc. The leadership in each area coordinates access needs
with UW Health IS.

Page 3 of 6

5. When applicable training is available, proof of training completion is required before
access is granted. For example, Health Link training is a requirement of UW Health’s Good
Install Agreement with Epic and users must complete it to be granted access greater than
view only.
6. UW Health department directors, managers, and supervisors, and the equivalent leadership
staff at affiliated organizations, are responsible for validation of their staff’s access to
electronic information systems periodically. Access to sensitive systems, such as electronic
medical records (Health Link), are reviewed annually. In some cases where high risk access
has been requested by a manager, UW Health IS may require additional approvals before
access is granted. Examples include, but are not limited to, Health Link restricted Master
Files, Health Link test environments, and remote access.
7. UW Health departments that maintain access controls to departmental applications
independent of UW Health IS must also follow this policy to manage access to those
systems.

B. Access by Credentialed Providers
1. UW Health IS provisions access for credentialed providers without supervisory
authorization, but confirms credentialing is complete before proceeding. UW Health’s
credentialing process is a proxy for authorization for credentialed providers.

C. Access by Researchers
1. Researchers often use health and medical data in scientific studies that advance the field of
medical knowledge. Protections are in place to ensure that PHI and other sensitive
information are protected when used in these studies.
2. Access to PHI by scientific researchers is permitted when it is consistent with UW-Madison
policies regarding use and disclosure of PHI for human subjects research. Information
access requests must be consistent with the approval, exemption, or waiver granted by the
UW-Madison Health Sciences Human Subjects Committees whenever a research activity is
subject to review by an Internal Review Board (IRB).
3. Evidence that an information access request is consistent with IRB review or UW-Madison
research policies can be requested prior to authorization.

D. Access by Students in Affiliated Clinical Education Programs
1. Students often require access to electronic information systems during their training and
studies. Access to this information is permitted for clinical education, which includes
treatment, healthcare operations, and supervised research activities.
2. Access to electronic information systems is permitted for graduate education if the graduate
student is contributing work to a research study under the direction of a principal
investigator who is on the medical staff at UW Health. To access and use health
information, students must be enrolled in an academic program or accepted by a formal
internship/fellowship program.
3. UW Health must have a relationship with the school of origin in order to permit access to
PHI. Relationships are established and verified by the UW Health Legal Services
Department.
4. Student access to PHI is limited to computer devices on the UW Health network or the
networks of specific trusted business partners.
5. Remote access to PHI by students, such as access from a home computer, is prohibited.


Page 4 of 6

E. Access by UW-Madison Student Employees
1. UW-Madison employees in student employment categories can access electronic
information systems containing PHI only if the student is enrolled in the clinical years of a
UW-Madison health sciences clinical education program..
2. Evidence that a UW-Madison employee is eligible for access under this policy is required
prior to the provision of access.

F. Access by Organizations Outside the UW ACE
1. Generally, UW Health does not provide direct access to electronic information by
employees of organizations outside the UW ACE.
2. Exceptions may be considered when the outside organization performs important functions
in support of the UW Health mission, or when there are adequate safeguards that the use of
information is limited to necessary and appropriate functions.
3. For example, UW Health may grant electronic access in cases where:
a. UW Health has ownership or direct financial interests in the organization.
b. Access is limited to a very specific and well-defined population of patients, data, or
systems.
c. Senior UW Health leadership has requested that such access be provided.

G. Acceptable Use
1. Access to UW Health electronic information systems and PHI allows authorized users to
provide good patient care, support patient care activities, obtain payment for services,
support healthcare operations including clinical education, and perform approved research,
as described above in this policy.
2. The following guidelines should be followed to ensure the appropriate use and security of
sensitive information and PHI.
a. Users must log off from any electronic information system prior to leaving a
workstation unattended or unlocked.
b. Users are responsible for any access to data made using their user ID(s). Failure to
log off or to properly secure passwords does not absolve users from this
responsibility.
c. Use of electronic information systems and PHI by individual users is limited to the
purposes for which access was granted, specific to the users’ roles.
d. Users who hold two or more positions for which access is granted must use the
assigned user ID specific to the access granted. The user ID granted for one position
should not be used to access information accessible to the other position(s), unless
authorized by UW Health IS. UW Health IS provides guidance regarding the use of
access for dual roles, and such guidance must be followed.
e. Users must use their Health Link login ID only for work-related purposes, or to view
their own personal medical records.
3. Access to UW Health electronic information systems may not be used for any other
purposes.

H. Inappropriate Use
1. It is inappropriate to use electronic information and PHI in any of the following ways:
a. Users must not access data from an electronic information system to support any
business other than the business for which access is granted.
b. Users may access electronic information systems only to support the job
responsibilities for which they were granted access. Access in support of other
organizational affiliations is prohibited.

Page 5 of 6

c. Accessing a colleague's PHI is inappropriate, unless the health care provider is a
health professional assigned to the care of the colleague.
d. It is not appropriate to ask another user to access your PHI for you. Users may access
their own PHI, but such access must only be made with that user's personal user ID.
e. Employees must not print their own medical records but instead must request
electronic or paper copies by submitting appropriate authorizations to the Health
Information Management department.
f. Unless authorized to do so for work-related purposes, employees must not access the
medical records of any family members (including their children of any age) or other
individuals through Health Link, even if authorization for such access is provided by
the family member or other individual. All patients, including employees, are
encouraged to access medical records using MyChart.

IV. PROCEDURES

A. Authorization and Submission of Access Requests
1. UW Health IS issues a user ID and password that grants basic access to all employees upon
hire.
UW Health department directors and managers, or equivalent leadership staff of affiliated
organizations, submits requests for access to all additional electronic information systems.
A request for each individual user must be submitted using the request process maintained
by UW Health IS.
2. UW Health IS Systems Security may refuse any request that is not authorized by the
appropriate management staff (Directors and above may authorize a delegate through UW
Health IS). Users are assigned a unique user ID and an interim password for each electronic
information system appropriate to their roles. These user IDs and interim passwords are
released directly to the manager or director responsible for the user, who is then responsible
to assure that the users change the interim password to a confidential password the first
time they log into each information system.
3. During orientation periods for large groups of incoming staff, such as GME trainees,
medical students, nursing staff, etc., leadership in each area coordinate access needs with
UW Health IS.

B. Access Change Requests Due to Employee Role Changes
1. When a user's role changes within a department and a change in access is necessary, it is
the responsibility of the department director or manager, or equivalent leadership staff of
affiliated organizations, to request that the user's access be changed.
2. A formal request documenting the change in role must be submitted using the request
process maintained by UW Health IS.

C. Access Change Requests Due to Employee Transfers
1. UW Health IS strives to ensure appropriate access is maintained when a user transfers from
one department to another, or changes employment from one UW ACE entity to another.
2. It is the responsibility of the hiring department director or manager, or equivalent
leadership staff of affiliated organizations, to notify UW Health IS when a user with access
to electronic information systems transfers from one position to another to ensure
continuity of access. Without such notification, it is likely that appropriate access will be
delayed since the access assigned under the previous role is deleted upon termination of
that role.
3. A formal request documenting the new role must be submitted using the request process
maintained by UW Health IS.

Page 6 of 6

D. Access Termination
1. To preserve systems integrity and security, access to electronic information systems should
be removed as soon as possible after termination from employment or student status.
2. UW Health Human Resources notifies UW Health IS of employee termination dates to
ensure access is terminated promptly.
3. Affiliated organizations whose Human Resources departments do not notify UW Health IS
are required to ensure through other means that UW Health IS is notified upon termination,
transfer, or extended leave of any staff with access to UW Health electronic information
systems.
4. UW Health department directors and managers, or equivalent leadership staff of affiliated
organizations, are responsible for immediate notification to the UW Health IS of all
involuntary terminations so that access may be removed as soon as possible on the effective
date of any involuntary termination.
5. Credentialed physician access is removed based upon Termination of Privileges and
notifications to UW Health IS.

V. RELATED POLICIES

A. Hospital Administrative Policy 6.30 - The Minimum Necessary Rule
B. Hospital Administrative Policy 4.13 - Using and Disclosing (or Releasing) Protected Health
Information
C. Hospital Administrative Policy 1.53 - Authentication and Password Policy
D. UWMF Policy 018 - Minimum Necessary Use and Disclosure Policy & Guidelines

VI. COORDINATION

Sr. Management Sponsor: VP, Chief Information Security Officer
Author: UW Health Director – Systems Security
Reviewer(s): UW Health IS Directors; UW Health Director of Internal Audit

Approval committee: UW Health Administrative Policy & Procedure Committee



SIGNED BY

Elizabeth Bolt
UW Health Chief Administrative Officer