Data Access Policy   

 

 

Abstract: 
This policy governs the way in which University employees are authorized to access and interact with sensitive and restricted/PHI institutional data (as categorized by UAB's Data Classification Rule). This policy complements recently revised and developed IT security policies and rules, including the Data Protection and Security Poilcy, Data Classification Rule, and Data Protection Rule.

Effective Date: 12/1/2017

 

Review/Revised Date: 6/30/2022

 

Category: Information Technology

 

Policy Owner: VP Information Technology/CIO

Policy Contact: Director - Security Risk Management and IT Compliance

 
   
 
 

INTRODUCTION 

The University of Alabama at Birmingham (UAB) shall manage access to Sensitive and Restricted/Protected Health Information (PHI) Institutional Data in order to ensure that such access is authorized and based on the principles of least privilege and need to know, that its use is appropriate, and that authorized access complies with UAB policies, standards and rules and relevant state and federal laws. 

SCOPE 

This policy outlines requirements for granting and revoking access to Sensitive and Restricted/PHI Institutional Data.  This policy applies to access to Sensitive and Restricted/PHI Data maintained by the University or party(ies) acting on the behalf of the University.

Data that is classified as Public can be accessed by and distributed to any entity.

Requests for records by the public are outside of the scope of this policy and shall be handled by University Relations and facilitated by the University of Alabama System Office of Counsel.  This policy also does not apply to situations in which the University is legally compelled to provide access to information.  Such requests shall be the responsibility of the University of Alabama System Office of Counsel. 

POLICY STATEMENT 

Data Stewards Approve Access to Sensitive and Restricted/PHI Institutional Data

Access to Sensitive and Restricted/PHI Institutional Data is approved by UAB-designated Data Stewards, whose roles and responsibilities are defined by Section 3.1 of UAB's Data Protection Rule .

  • Data Stewards shall grant access in compliance with the UAB Data Security and Protection Policy and all relevant regulations (e.g. FERPA, HIPAA and GLBA).

  • Data Stewards shall grant access only to those employees, affiliates, and systems that need the access to perform their job duties or mission and have a legitimate need to know.

  • In the event that a Data Steward is not designated, the data in question is owned by the dean, vice president, or head of the unit that creates/owns the data.

Vice Presidents Retain the Right to Approve All Access to SSN Data

Per the UAB Data Classification Rule, Social Security Numbers (SSNs) are classified as Restricted/PHI Data. Therefore, access to SSN data shall not be granted unless approval has been provided by a University Vice President or a Vice President's designee.

UAB Health System Retains the Right to Approve All Access to HIPAA/PHI Data

Appropriate access is provided/controlled according to established policies and procedures within UAB/UABHS HIPAA covered entities.  Access shall be granted based on the need-to-know and the minimum necessary standards. 

Data Stewards are Responsible for Procedures for Requesting, Approving, and Revoking Access

Data Stewards shall ensure that procedures for access to Sensitive and Restricted/PHI Institutional Data are documented and implemented.  Procedures may vary per Data Steward or Data Users group.  However, all procedures shall include sufficient tracking for requests, approvals, and revocations, and such tracking must be auditable. 

Only Authorized Users Shall Access Sensitive and Restricted/PHI Institutional Data

All access by individuals to Sensitive and Restricted/PHI Institutional Data shall be controlled by reasonable measures to prevent access to and/or distribution of said data to unauthorized users. 

Data Users Shall Use Sensitive and Restricted/PHI Institutional Data Responsibly

Data Users must maintain the confidentiality and integrity of data in accordance with all applicable laws, the UAB Data Protection and Security Policy, the Data Classification Rule and  Data Protection Rule . 

Data Stewards May Delegate Approval Responsibilities to a Trusted Designee

A Data Steward may delegate the ability to approve access to Sensitive and Restricted/PHI Institutional Data to individuals in designated roles. Approved documented procedures must exist that allow a trusted designee to grant access for employees that have certain pre-approved roles and responsibilities based on their job requirements and need to know.  Data Stewards retain the responsibility for ensuring that all access to Sensitive and Restricted/PHI Institutional Data is authorized, appropriate, and complies with relevant legal requirements and University policies, standards, and rules. The responsibility for owning and protecting the data does not transfer to designees. 

External Third-Party Access to Restricted/PHI Institutional Data Shall be Governed by Contractual Agreement

Individual contractual agreement or memoranda of understanding (MOU), if the third party is a governmental organization, shall govern access to Sensitive and Restricted/PHI Institutional Data by external parties.  Such contractual agreements shall be approved through the University contract office. 

EXCEPTION 

Exceptions may be granted in cases where security risks are mitigated by alternative methods, or in cases where security risks are at a low, acceptable level and compliance with minimum security requirements would interfere with legitimate academic or business needs.  To request a security exception, complete the Information Security Exception Request Form

NON-COMPLIANCE 

Confirmed violations of this policy will result in consequences commensurate with the offense, up to and including termination of employment, appointment, student status, or other relationships with UAB. 

MAINTENANCE 

This policy will be reviewed by UAB's Information Security Office periodically, or as deemed appropriate. 

IMPLEMENTATION 

The Vice President for Information Technology is responsible for the oversight and implementation of this policy, including the overall procedures related to its implementation and management.

 

Appendix A: UAB Institutional Data Stewards by Data Type (Designations based on UAB Records Retention Schedule) 

Data Type
Data Steward
Student Education Records
Provost and VP of Student Affairs
Administrative Records
VP for Financial Affairs & Administration
Athletics
VP for Financial Affairs & Administration
Legal
Office of Counsel
Financial Data
VP for Financial Affairs & Administration
Employee Data
VP for Financial Affairs & Administration
Public Relations Data
Chief Communications Officer
Sponsored Research
VP for Research & Economic Development
Patient Records (Electronic Patient Health Information)
Student Health Services:  VP of Student Affairs
Academic:  Provost
HIPAA Data: Senior-most VP/Director/Manager
Personally Identifiable Information (PII)
Students: Provost
Faculty & Staff: VP for Financial Affairs & Administration
Departmental Records
Administrative: Senior-most VP/Provost
Financial Aid Records
VP of Student Affairs
Facilities Information
VP for Financial Affairs & Administration
Alumni and Development Data
VP of Development and Alumni
Payment Card Information
VP for Financial Affairs & Administration
Police Records
VP for Financial Affairs & Administration

Related Policies, Procedures, and Resources

Data Protection and Security Policy
Data Classification Rule
Data Protection Rule 
Acceptable Use of Computer and Network Resources
HIPAA Core Policies 
UABHS Interdisciplinary Policies -Information Systems and Network Access