Overview

Department Managers and Sponsors are responsible for notifying the correct Human Resource Agency and Health System Technology Services IT Security when a termination in access is needed.

Purpose

To provide the procedures used by the Medical Center to terminate employee/customer access.

Scope

This procedure applies to all UVa Medical Center Managers, Supervisors and Sponsors.

Description

  • Departmental Managers, Supervisors and Sponsors must promptly notify the HIT Security team and Medical Center Human Resources when an individual no longer requires access to a particular system due to a change in job duties or termination of employment. 

 

  • Emergency Terminations: When an individual is being terminated abruptly, departmental managers are responsible for notifying HIT Security by sending an email to MCCSecurity@hscmail.mcc.virginia.edu. Upon receiving the email HIT Security will remove all accesses and notify the manager when completed. In addition, the HR Consultant or Manager should contact the HIT Security Director  to ensure the terminated employee's access is revoked immediately.

 

  • Daily Terminations: UVA Human Resources via Workday will provide a daily report of all UVA Health System, Academic, and University of Virginia daily terminations to the HIT Security Office. HIT Security will disable all network, email and access to information systems assigned to the terminated individual. Terminations will be processed within 24 hours per our committed SLA.

 

  • Sponsored Account Terminations: All Department Sponsors of non-UVa employees (i.e., Non-Medical Center, Non-UPG or Non-Academic) are responsible for notifying HIT Information Security Office by sending an email to MCCSecurity@hscmail.mcc.virginia.edu when a termination is needed.

 

  • Internal Position Transfers: Department Managers, Supervisors and Sponsors are responsible for ensuring the removal of employee access that is relevant to their new role within the organization.  The new Manager/Sponsor is responsible for requesting any new system access that will be required for the employee's new job role.

 

  • Routine audits are completed by the HIT Security team to clean up inactive accounts. AD inactive accounts are disabled after 13 months of non use. Additionally, inactive account audits are conducted on some other information systems such as Epic.

 

  • Department Managers and Sponsors are responsible for identifying employees and vendors that no longer have a need to access sensitive information.  As of that identification, the Manager or Sponsor should first ensure that information previously accessed by that employee and needed by the Medical Center has been appropriately secured.  Specifically, (a) it must be stored in the appropriate location (database or file system) and (b) it must be removed from all storage media used by an employee or customer that no longer needs access to sensitive information.  Sensitive information includes electronic Personal Health Information (PHI) and Personally Identifiable Information (PII).  Storage media includes workstations, external hard drives, offsite storage facilities, and mobile devices capable of storing information

 

 

  • When an individual is terminated physical badge access to Medical Center resources will be revoked.

 

Any requests for variation from this policy, such as extensions, will be considered on an individual basis and must be directed to MCCSecurity@hscmail.mcc.virginia.edu. The request will be evaluated by the HIT Security Director and approved or denied based on the reasons for the extension.

Document Supporting Resources