Common use of Authorization & Access Management Clause in Contracts

Authorization & Access Management. A. All access requests must be documented and approved, using the appropriate forms located on the Intranet, according to SVHC procedures. B. Authorization and access management procedures must follow the least privileges /minimum necessary information requirements of the HIPAA Privacy Rule. C. Access must be granted and used only for authorized business purposes. D. User IDs and passwords, or other authentication methods must uniquely identify individuals accessing ePHI. E. Sharing a user ID or using another user's ID is prohibited. F. Users are responsible for all activities performed under their user IDs. G. All user passwords must be kept confidential, must be periodically changed, and are not to be shared with any other individual. H. Passwords must be at least 8 characters in length or the maximum length allowed by an application. The configuration and/or use of strong passwords are required when technically and operationally feasible. I. A password must be changed if the security of the password is believed to be breached or compromised. J. Whenever possible, user IDs must not give any indication of administrative privilege level assigned to the account. K. Users must log out or invoke a password protected screen saver or equivalent when leaving a workstation unattended. L. Auto logoff must be implemented whenever technically feasible.