Access Request Procedures

Overview

The Health Information and Technology (HIT) Security Office provisions access to most of the "core" applications supporting the Medical Center. The procedures for requesting access to Medical Center information resources will depend on the agency or user submitting the access request in addition to the access that is being requested.

Purpose

To delineate specific procedures for requesting computer access to Medical Center institutional information systems and electronic medical records so as to maintain security and confidentiality of data, protection of files, and consistency of information regarding use of the systems.

Scope

This procedure applies to all faculty, staff, GME trainees, students, volunteers, and other individuals working within the Medical Center or a Health System affiliate who have, or are responsible for, a computer account or any form of access that supports or requires a password on any system that resides at any Medical Center facility, has access to the Health System network, or stores any non-public Health System information. All new Medical Center (209) employees, applicable customers within University Physicians Group (UPG), and the UVA Academic Agency (207) are required to sign the Electronic Access Agreement (EAA). The respective Human Resource departments are responsible for the retrieval of signature and storage of the EAA. Third party vendors and contractors (i.e., External Customers) must sign the EAA prior to being granted access to Health System information systems. The respective Health System department is responsible for the retrieval of signature and storage of the EAA. If third-party vendors or contractors will require access to Protected Health Information (PHI) the Business Associate Agreement (BAA) will also need to be completed. (See Medical Center Policy No. 0013: Vendors, Sales and Service Representatives and BAA)

Description

All users must adhere to Medical Center Policies, procedures, and guidelines associated with information security and access to sensitive information or Electronic Protected Health Information (EPHI). See Health System Policy IT-002: Use of Electronic Information and Systems (reference link under Supporting Resources located on the right).

 

A UVa Computing ID and Health System Network account must be created before access to institutional computer systems is requested.

 

Access to Information Systems managed by Health System Technology Services is requested through the Online Access Request Form (reference link under Supporting Resources located on the right).

 

The Access Request Procedures outline step-by-step instructions for requesting access to Medical Center information resources. In addition, the Access Request Workflow Diagram provides a visual reference of the entire process. Submit your request via the Online Access Request (reference link under Supporting Resources located on the right).

 

Managers are responsible for ensuring employees have the appropriate level of access to Medical Center institutional information systems.

 

Managers must review and revalidate all employee access at least annually by utilizing the Supervisor Review application (reference link under Supporting Resources located on the right).

 

All new Medical Center (209) employees, applicable customers within University Physicians Group (UPG), and the UVA Academic Agency (207) are required to sign the Electronic Access Agreement (EAA). The respective Human Resource departments are responsible for the retrieval of signature and storage of the EAA.

 

Third party vendors and contractors (i.e., External Customers) must sign the EAA prior to being granted access to Health System information systems. The respective Health System department is responsible for the retrieval of signature and storage of the EAA.

 

If third party vendors or contractors will require access to PHI the Business Associate Agreement (BAA) will also need to be completed. (See Medical Center Policy No. 0013: Vendors, Sales and Service Representatives and BAA)

 

Document Supporting Resources