Remote Access Request Policy
To establish a secured means to access Affinity Health System IT Networks, Systems and Applications, including the MEDITECH Information System, by approved users outside of the Affinity Wide Area Network.
Access: The ability or the means necessary to read, write, modify, or communicate data/information or otherwise make use of any system resource.
Remote Access: The ability to access Affinity Health System (AHS) IT Systems from an off-campus/remote location; this includes home office users, non-Affinity facilities and/or business associates.
Protected Health Information (PHI): Protected Health Information means individually identifiable health information that is: transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form or medium.
Provisioning: The process by which Users are granted authorization and access to AHS IT Systems through establishing a unique user identity, password, and assignment of access rights and privileges based on the user's need to know/minimum access requirements. As a secondary responsibility, the provisioning process ensures compliance with, and minimizes the vulnerability of IT Systems to penetration and abuse.
Workforce: Under HIPAA, the workforce is defined to include employees, medical staff members, volunteers, trainees, and other persons whose conduct, in the performance of work for an Organization, is under the direct control of the Organization, whether or not they are paid by the Organization.
- Affinity Health System (AHS) is committed to managing the confidentiality, integrity, and availability of their information technology (IT) networks, systems, and applications (IT Systems). This includes establishing guidelines for Remote Access to the Organization's critical information assets maintained within the IT Systems.
- Remote Access to AHS IT Systems is a privilege granted through the user provisioning process to exempt workforce members, Physicians with active privileges, business associates, vendors, and/or other individuals (Users) as approved by AHS Leadership. Remote Access privileges granted to Users will be restricted to the minimum necessary information required to carry out job responsibilities, terms of business agreements, or as further defined by AHS leadership. Users of Remote Access must have a submitted Remote Access Request form on file with IT, users of Remote Access to access Meditech must have a signed Confidentiality agreement.
- Non-Exempt employees: To ensure compliance with labor laws, non-exempt (hourly) employees require Management and Human Resources approval to access any Affinity IT system outside of their work hours or location. Non-exempt employees approved for remote access must document and submit for payment through API or another approved method, any and all time spent accessing work related emails and other applications and files, according to the pay practices and payroll processing timelines of Affinity Health System.
- Remote Access only allows the Physicians to conduct hospital business and is in no way an additional benefit to the Physician or their practice.
- All Remote Access usage is subject to audits for compliance with AHS confidentiality policies. Compliance or policy breeches will result in immediate revocation of Remote Access privileges and are also subject to corrective action or legal action. VP approval will be required for restoration of privileges.
- Violations of the terms of a user's Remote Access privileges shall be subject to immediate revocation and/or corrective action as follows:
- Workforce Members: Corrective action up to, and including, termination of employment and prohibition of future access to AHS IT Systems.
- Business Associates/Vendors: Corrective Action up to, and including, termination of the business agreement/contract.
- Other: As determined by Affinity leadership.
- Unless otherwise agreed upon by AHS, Remote Access users shall maintain responsibility for personal hardware, software, and systems used when obtaining Remote Access. Affinity Health System technical support shall be available to users for issues related to Affinity owned/sponsored hardware, software and systems.
- The use of remote proxy software (e.g., PC Anywhere, GotoMyPC, WebEx, LogMeIn, etc.) utilized to enable individual/personal Remote Access to a local desktop from outside the Affinity network is not permitted on a users device without the express permission of AHS IT Leadership (Exception: The use of the Affinity approved support tools by IT staff for technical support).
- Remote Access privileges may include the ability to download or print documents/files that contain patient Protected Health Information or confidential business information. Any documents/files downloaded or printed via Remote Access shall be managed in accordance with AHS practices for retention and destruction of confidential information (documents containing confidential information shall be shredded before disposal). For additional information see Policy 00348 Record Destruction/Disposal Policy.
- AHS shall audit Remote Access by users, as needed, and act upon any suspicious system activity and/or security device failures. The cooperation of the Remote Access user and/or the sponsoring Organization is required during an investigative process.
- AHS does not support Remote Access for those users whose PC environment does not include the following:
- Pentium 4 processor or greater
- Minimum 1GB RAM
- Windows 2000 or later operating system
- End-user provided Internet connectivity (dial-up connections are not supported)
- MAC OS is not supported.
- If the Remote Access user has difficulty installing the necessary software/plug-in, they can contact the Affinity IS Help Desk for assistance. Affinity IS is not able to support problems with non-Affinity PCs (e.g., hardware, software, Internet connectivity) other than problems with the operation and installation of the Citrix Web Interface.
- Failure to comply with this policy may result in corrective action.