HIPAA - To implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the U.S. Department of Health & Human Services Centers for Medicare and Medicaid Services (CMS) adopted the Security Rule (45 CFR Part 160 and Part 164, Subparts A and C). Standards from this rule include Administrative Safeguards, at § 164.308. The general objective of the rule is to restrict access to protected health information (PHI) to those employees who need access to do their jobs.
The Clinical Systems Audit (CSA) application was implemented to address the Security Rule requirement at § 164.308(a)(4)(ii)(C), which addresses Access Establishment and Modification. As described by CMS, this safeguard requires that entities such as Mass General Brigham
Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
Auditing requirement - Every year, managers at Mass General Brigham are required to audit the access and authorization for those employees who report directly to them. The audit requirement follows a rolling monthly schedule by site. On the first Wednesday of the designated month for a site, CSA generates a pre-live audit report for Privacy Officers (POs) to review and determine if there are managers who will need assistance. On the Monday after that first Wednesday, CSA automatically sends an email reminder to managers that the audit is due. Managers then have three (3) weeks to complete the audit; an additional week is available if a manager needs assistance.
Logging in, timing out, logging out - Managers and Privacy Officers must log in to CSA with their Mass General Brigham network user and current password. After 15 minutes of inactivity, the application times out and returns automatically to the login. Log out when you are no longer actively using CSA.
Manager's review - Clinical Systems Audit allows managers to review the access that each of their direct reports has to all of the clinical applications at Mass General Brigham. The information provided includes all of the systems for which each employee has access, and which functions the employees are authorized to use. The systems and authorizations are those granted through Mass General Brigham Authorization System (PAS) keygiving. Using this application, managers can remove authorizations or remove access entirely for persons who should no longer have access to a function or an application, for one or more applications.
For employees with multiple roles and/or managers, the associated manager is determined by the number of hours worked. This eliminates the possibility of a direct report being audited more than once per year. If an employee you're auditing has authorizations associated with a different manager, consult the other manager(s) to be sure that appropriate access is retained or removed for each job role.
Manager Status view - The Manager Status View allows managers of managers to review the audit responsibilities and status for all managers who report to them, and to create an email to individuals managers or all non-compliant managers on the list.
Privacy Officers view - The PO Manager View allows Privacy Officers to review the audit responsibilities and status for any manager at their site, view access and authorizations for the manager's employees, and delegate an audit to another manager.
Delegation - If needed, managers can delegate to another manager at the same site to review the access and authorizations for a given employee, when the other manager might be a more appropriate reviewer.
Reporting and statistics - CSA provides several reports for managers and privacy officers. When the report indicates action is needed, the manager or privacy officer can respond as they view.