/policies/,/policies/administrative/,/policies/administrative/uwmf/,/policies/administrative/uwmf/uwmf-wide/,/policies/administrative/uwmf/uwmf-wide/hipaaprivacy/,

/policies/administrative/uwmf/uwmf-wide/hipaaprivacy/107015.policy

20150237

page

100

UWMF,

Policies,Administrative,UWMF,UWMF-wide,HIPAA/Privacy

Termination of User Access (107.015)

Termination of User Access (107.015) - Policies, Administrative, UWMF, UWMF-wide, HIPAA/Privacy

107.015


University of Wisconsin Medical Foundation

Policy Name: Termination of User Access Policy Number: Privacy 008

__X__ New ____ Revised
If Revised, Supersedes Policy Dated: _________
Effective Date: April 14, 2003
Approved By (Name): Peter Christman Title: Executive Vice President
Reviewed



I. PURPOSE
To establish consolidated termination guidelines for UWMF staff that have access to UWMF’s
electronic data systems, or as assigned to a UWMF department. Staff means all employees, staff
physicians, students and other trainees, volunteers, and other persons who in the performance of
their work for UWMF are under the direct control of UWMF.

II. POLICY

A. Levels of Access. UWMF ensures the ongoing securing of system PHI through the
maintenance of appropriate and current access levels for staff. Whenever a UWMF staff
member is terminated from association with the UWMF, or is reassigned within UWMF,
departments take all reasonable measures to ensure that the confidentiality of patient
information is maintained.

B. Access Compromise. Whenever it is suspected that the terminated or reassigned staff
may have compromised patient data as a result of notification of his or her termination,
the department will:

 fill out an incident report and send to the UWMF Safety Department; and
 report the potential breach to UWMF’s Human Resources Manager and to the
Security Officer.

The Department Manager and/or Director work with UWMF HR Manager and the
UWMF Security Officer, (with the Privacy Officer providing assistance as necessary), to
investigate any potential breach. The managers and Privacy Officer shall mitigate any
damages that result from the breach.

C. Termination. UWMF ensures that all access to staff user accounts, services, and
resources, are revoked as soon as possible, preferably the day of termination, but in no
event later than three (3) business days following any such termination.

D. Reassignment. UWMF ensures that all access to staff user accounts, services and
resources, are appropriate to an employee’s current responsibilities. When staff is

reclassified, the Human Resources Department in conjunction with the Information
Services department, shall reclassify user access for staff consistent with job
responsibilities. Such reclassification takes place as soon as possible, preferably on the
date of the reassignment, but in no event later than three (3) days after the staff
reassignment takes place. Such accounts include WISCR access, UWMF
Internet/Intranet access, e-mail access, and all shared UWMF computer, drives, as well as
desktop drives. Exceptions to these provisions shall be allowed only as necessary to
facilitate patient care and only upon the approval of the Chair of the Health Information /
Confidentiality Committee.

E. List Removal. UWMF removes staff from lists that provide authorized access to
controlled areas, information, services, and resources as soon as possible.

III. PROCEDURES

A. Physical Security. Whenever a UWMF staff member is terminated from association
with the UWMF, or is reassigned within UWMF, the respective departments take the
following actions related to physical security:

1. As applicable, provide written notice to the terminated / reclassified staff member
which requires that she/he turn in all keys, ID cards, or any other objects that
facilitate physical access to property, buildings, vehicles, and any other UWMF
equipment.

2. When appropriate, departments shall also change locks and/or combinations that
control physical access to patient areas, patient record, and UWMF equipment.

B. Non Termination or Pre-termination Situations. In situations other than termination
or re-assignment, departments shall consider whether actions should be taken as
identified above. For example, when an employee takes an extended leave for medical,
educational or other reasons, or when an employee is placed on administrative leave
pending an investigation, the employee’s Department Manager will determine whether or
not access change is necessary.

C. Termination/Reassignment of UWMF Employees, Volunteers, or other Workforce
Members.

1. UWMF Departments shall notify UWMF’s Human Resources Department of
terminations through the use of the “Payroll Change” form or the “Payroll Change” e-
form found on the intranet. No later than three (3) business days following receipt of
a notice of employee termination, Human Resources shall notify the UWMF IS
Department of the employee’s termination status. Whenever an employee leaves a
department whether through resignation, transfer, or involuntary termination, or under
any other circumstances, the department shall immediately notify IS.

2. IS shall immediately remove access privileges unless it has received prior notification
of a transfer and the gaining department has detailed the employee’s new access
privileges. Please note: Prior to the IS Department’s termination of a Provider’s user

access, IS shall contact the Director of Health Information Management to determine
that all documentation requirements have been completed.

3. IS shall also monitor existing accounts and if no activity is recorded for three months,
such accounts will be deactivated.

4. On a quarterly basis, the Security Officer’s staff shall audit disabling procedure
effectiveness and timeliness, and shall annually report findings to the Security Officer
and to the Privacy Officer. If an issue is found relating to the effectiveness the
disabling procedures, then within fifteen (15) days of receipt of any such notice, the
Security Officer shall conduct a review of all suspended accounts for suspicious
activity. Any such activity shall be reported to the Privacy Officer in order to develop
a remediation plan, and to the HR Manager to initiate an appropriate investigation.

5. The IS Department shall record the date whenever accounts are deactivated and
whenever employees are removed from access lists.

6. The IS Department shall maintain a history of accesses privileges for all current
employees and retain it for 6 years after termination.

D. Termination / Reassignment of UW Health Employees with Access to UWMF
Systems & Records. The HR Departments for each of the UW Health related entities
shall provide the UWMF IS Department with notice of any terminated / reassigned
employee prior to that employee’s last day and no later than three business days
following such department’s notice of the pending termination / reassignment of such an
employee.

E. Assistance. For additional assistance in determining the access levels, please check
with the following individuals:
 Director of Health Information Department
 Security Officer
 Human Resources Information Services Manager
 Privacy Officer

IV. Author & Review

Sponsor: HIPAA Steering Committee
Author: Michael McKenzie, Manager Technical
Systems
Claudia Jane Sanders, Privacy Officer
Sandy Schumacher, Director of Health
Information
Traci Schwarting, HRIS Manager
Ed Thiesenhusen, Security Officer
Review: HIPAA Steering Committee Senior Management Team
Committee Approval: HIPAA Steering Committee Senior Management Team
Approved: Peter Christman Date: April 14, 2003