Educause Security Discussion mailing list archives
HIPAA/Require Authorization Form
From: Leigh Cheek <CHEEK () GWMAIL UTK EDU>
Date: Tue, 21 Jun 2005 16:15:09 -0400
Hello, I am working on a risk assessment for compliance to HIPAA security rule and am trying to determine best practice for granting users access to a billing system. Background: Less than 10 departmental users use this system and the user setup is managed internally by a non-exempt employee who has knowledge of all duties to be performed (also is not assigned any regular billing duties). The department head has approved a policy with a user matrix showing what job title should have what access and even no access. Question: Do we need to require the department to have an authorization form signed by the department head for each user? Other options: Besides an authorization form, the department head could sign 1) the matrix if user names are included or 2) another form showing the user has a title particular title on the matrix. Thank you for your learned opinions in advance. Leigh Cheek, CIA, CISA Auditor Audit and Consulting Services University of Tennessee 149 Conference Center Building Knoxville, TN 37996-4114 (865) 974-4420 fax (865) 974-6171 lcheek () utk edu
Current thread:
- HIPAA/Require Authorization Form Leigh Cheek (Jun 21)