/policies/,/policies/administrative/,/policies/administrative/uwmf/,/policies/administrative/uwmf/uwmf-wide/,/policies/administrative/uwmf/uwmf-wide/information-services/,

/policies/administrative/uwmf/uwmf-wide/information-services/ad-pol-017.policy

20180110

page

100

UWHC,UWMF,

Policies,Administrative,UWMF,UWMF-wide,Information Services

Testing and Troubleshooting (AD-POL-017)

Testing and Troubleshooting (AD-POL-017) - Policies, Administrative, UWMF, UWMF-wide, Information Services

AD-POL-017

Page 1 of 3




Administrative (Non-Clinical) Policy
This administrative policy applies to the operations and staff of the University of Wisconsin Hospitals
and Clinics Authority (UWHCA) as integrated effective July 1, 2015, including the legacy operations and
staff of University of Wisconsin Hospital and Clinics (UWHC) and University of Wisconsin Medical
Foundation (UWMF).


Policy Title: UW Health Testing and Troubleshooting
Policy Number: AD-POL-017
Effective Date: December 20, 2017
Chapter: Administrative
Version: Original

I. PURPOSE
This policy applies to the allowed testing and troubleshooting of electronic information systems
managed by UW Health Information Services (IS) using Protected Health Information (PHI), or using
the identity of another person. This policy:
A. Defines when the use of Protected Health Information (PHI) is acceptable to conduct testing
or troubleshooting.
B. Defines when the use of an identity of another person (including real clinicians) is acceptable to
conduct testing or troubleshooting, and the procedure that must be followed.

II. DEFINITIONS
Electronic information systems: All hardware and software used to manage and facilitate access
to information stored electronically at UW Health. This includes software provided by UW Health
but installed by users on hardware that is not provided by UW Health (e.g., personal computers or
mobile devices).

Protected Health Information (PHI): Any individually identifiable health information that is
transmitted or stored in any form, including oral, written, and electronic. PHI includes
demographic, health, and financial information.

Need-to-Know: Limiting access to information based on whether a user has a legitimate clinical
or business need for access.


III. POLICY ELEMENTS
A. The use of Protected Health Information (PHI) is acceptable to conduct testing or troubleshooting
when:
A. An issue has been reported by an end user regarding a specific patient, and an analyst
must replicate the workflow with that real patient to resolve the issue.
B. Users must first attempt to use test patients to conduct testing, or have a pre-authorized
reason as to the requirement to use the Protected Health Information (PHI) of a real

Page 2 of 3


patient.
C. If the level of effort to configure test patients is excessive or a large number of patients
are needed for volume testing; and/or if an external system or organization can only
accept real patient data.

C. Users must adhere to the need-to-know and minimum necessary philosophies, and acceptable
use guidelines as described in the following policies:
a. Hospital Administrative Policy 6.30 - The Minimum Necessary Rule
b. Hospital Administrative Policy 4.13 - Using and Disclosing (or Releasing) Protected
Health Information
c. UWMF Policy 018 - Minimum Necessary Use and Disclosure Policy & Guidelines
d. UW Health Administrative Policy 1.02 - UW Health Access to Electronic Systems

D. The use of another person’s identity is acceptable to conduct testing or troubleshooting after:
A. Users first attempt to use their assigned test account(s) to conduct testing, or have a pre-
authorized use case for testing with another person’s identity.
a. Pre-authorized use cases can be found in Appendix A - UW Health Testing and
troubleshooting Pre-Authorized Use Cases.
b. Additions to Appendix A will be reviewed by Systems Security and approved UW
Health Compliance.


IV. PROCEDURES
A. There are two options for obtaining real patients. The first is that the analyst finds real patients
needed for testing. This is common for report testing, interfaces and troubleshooting. The
second option is a request for a set of patients for planned testing. Planned testing is large
scale application/integrated testing often associated with projects such as: Health Link
upgrade, new modules, new functionality, new locations, or modification of existing build. If a
request for real patients is needed, the following process is used.

1. The analyst identifies the need to use real patients for a planned testing session and
submits a request through the UW Health ticketing system to the IS Health Link Prelude
team at least two weeks prior to testing if possible. The request should include:
a. How many patients are needed
b. When the patients are needed by
c. Why real patients are needed
d. Who will be testing with the real patients
e. Any demographic (example: age, gender), account, or coverage requirements
for the patients
f. What Service Area(s) the patients will be tested in

2. The IS Health Link Prelude team:
a. Identifies the approved patients avoiding employees, family, friends, VIPs, etc.
to the best of their ability
b. Provides the approved list of patients to the requester
c. Provides the approved list of patients and the details of the request to the
Privacy/Security Breach Investigation Team
B. Obtaining access to test with another person’s identity.

Page 3 of 3



1. The analyst identifies the need to use another person’s identity for troubleshooting
or planned testing.

2. The analyst submits a request through the UW Health ticketing system to the IS
Systems Security (HL) team. The ticket should include:
a. What person’s identity is needed
b. Who will be using the account
c. When the account will be used
d. What environment the account is needed in
e. Why it is necessary to use another user’s identity
f. Provide the ticket associated with the work

3. IS Systems Security (HL) team will:
a. Follow the established procedures for the pre-authorized use case.
b. Notify the requestor of the appropriate procedure for use of another person’s
identity for testing.

4. The tester notifies the Systems Security (HL) team when the work is complete, so the
changes can be reversed if applicable.

5. The IS Systems Security team sends notification to the Privacy/Security Breach
Investigation Team, including the details in the request and the duration the account
was in use.

C. Additions to Appendix A - UW Health Testing and troubleshooting Pre-Authorized Use
Cases
1. Application Analyst Identified
a. The analyst identifies a new use case that they would like to be considered for
a pre-authorized use and submits a request through the UW Health ticketing
system
b. Requests for the use of real patients should be submitted to the IS Health Link
Prelude team.
c. Requests for the use of someone else’s identity should be submitted to the IS
Systems Security (HL) team.
d. The IS Health Link Prelude Supervisor or the IS Systems Security Manager
reviews the request and if deemed appropriate submits the request to the
Privacy/Security Breach Investigation Team for approval.
e. If the use case is approved for pre-authorization it is added to Appendix A -
UW Health Testing and troubleshooting Pre-Authorized Use Cases by the UW
Health Compliance department.

2. The IS Health Link Prelude Supervisor or the IS Systems Security Manager
a. The IS Health Link Prelude Supervisor or the IS Systems Security Manager
identifies a common use case that is appropriate and submits the request to
the Privacy/Security Breach Investigation Team for approval.
b. If the use case is approved for pre-authorization it is added to Appendix A -
UW Health Testing and troubleshooting Pre-Authorized Use Cases by the UW
Health Compliance department.

Page 4 of 3



V. RELATED POLICIES
1. Hospital Administrative Policy 6.30 - The Minimum Necessary Rule
2. Hospital Administrative Policy 4.13 - Using and Disclosing (or Releasing) Protected Health
Information
3. Hospital Administrative Policy 1.53 - Authentication and Password Policy
4. UWMF Policy 018 - Minimum Necessary Use and Disclosure Policy & Guidelines
5. UW Health Administrative Policy 1.02 - UW Health Access to Electronic Systems
6. Appendix A - UW Health Testing and troubleshooting Pre-Authorized Use Cases

VI. COORDINATION
Sr. Management Sponsor: Paul VanAmerongen
Author: UW Health Systems Security Manager
Reviewer(s): UW Health IS Directors; UW Health VP of Revenue Cycle, & UW Health
Approval committee: UW Health IS Directors

SIGNED BY

Paul VanAmerongen
UW Health Chief Administrative Information Security Officer

Revision Detail:

Effective Date Next Review Summary of Changes Change Authors
12/20/2017 12/20/2020 Original release. Trish Verhage