Overview

Department Managers and Sponsors are responsible for notifying the correct Human Resource Agency and Health System Technology Services IT Security when a termination in access is needed.

Purpose

To provide the procedures used by the Medical Center to terminate employee/customer access.

Scope

This procedure applies to all UVa Medical Center Managers, Supervisors and Sponsors.

Description

  • Departmental Managers must notify Medical Center Human Resources promptly when an individual no longer requires access to a particular system due to a change in job duties or termination of employment.  Health Information and Technology (HIT) Security will terminate the individual’s access to institutional network and computer systems as appropriate.

 

  • Department Managers and Sponsors are responsible for the removal of employee access for employee transfers into their respective departments via the Supervisor Review Application. The new Manager/Sponsor is responsible for requesting any new system access that will be required for the employee's new job role.

 

  • Department Sponsors of non-UVa employees (i.e., Non-Medical Center, Non-UPG or Non-Academic) are responsible for notifying HIT Information Security Office by sending an email to MCCSecurity@hscmail.mcc.virginia.edu when a termination is needed.

 

  • All Human Resource Agencies (209, 207 and UPG) will provide a daily report of terminations to the HIT Security Office. HIT Security will disable all network, email and access to information systems assigned to the terminated individual.

 

  • Department Managers and Sponsors are responsible for identifying employees and vendors that no longer have a need to access sensitive information.  As of that identification, the Manager or Sponsor should first ensure that information previously accessed by that employee and needed by the Medical Center has been appropriately secured.  Specifically, (a) it must be stored in the appropriate location (database or file system) and (b) it must be removed from all storage media used by an employee or customer that no longer needs access to sensitive information.  Sensitive information includes electronic Personal Health Information (PHI) and Personally Identifiable Information (PII).  Storage media includes workstations, external hard drives, offsite storage facilities, and mobile devices capable of storing information

 

  • When an individual is being terminated abruptly, departmental managers are responsible for notifying HIT Security by sending an email to MCCSecurity@hscmail.mcc.virginia.edu. Upon receiving the email HIT Security will remove all accesses and notify the manager when completed. In addition, the HR Consultant or Manager should contact the HIT Security Director  to ensure the terminated employee's access is revoked immediately.

 

  • When an individual is terminated physical badge access to Medical Center resources will be revoked.

 

Any requests for variation from this policy, such as extensions, will be considered on an individual basis and must be directed to MCCSecurity@hscmail.mcc.virginia.edu. The request will be evaluated by the HIT Security Director and approved or denied based on the reasons for the extension.

Document Supporting Resources