HIPAA/Require Authorization Form

[Leigh Cheek <CHEEK () GWMAIL UTK EDU>]

Hello,

I am working on a risk assessment for compliance to HIPAA security rule
and am trying to determine best practice for granting users access to a
billing system.

Background: Less than 10 departmental users use this system and the
user setup is managed internally by a non-exempt employee who has
knowledge of all duties to be performed (also is not assigned any
regular billing duties). The department head has approved a policy with
a user matrix showing what job title should have what access and even no
access.

Question: Do we need to require the department to have an authorization
form signed by the department head for each user?

Other options: Besides an authorization form, the department head could
sign 1) the matrix if user names are included or 2) another form showing
the user has a title particular title on the matrix.

Thank you for your learned opinions in advance.


Leigh Cheek, CIA, CISA
Auditor
Audit and Consulting Services
University of Tennessee
149 Conference Center Building
Knoxville, TN 37996-4114
(865) 974-4420
fax (865) 974-6171
lcheek () utk edu