Added by Richard Ortiz, last edited by Richard Ortiz on May 15, 2007  (view change)

Labels:

Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.

Project Charter

Project Name: UW NetID Separations Technical Implementation
Project Sponsor: Janelle Brown, UW Medical Center, Executive Director
Richard Meeks, UW Medicine Compliance Officer
Sandy Moy, C&C Chief Operating Officer
Project Manager: Richard J. Ortiz (temporary project manager)
Required Reviews: Unknown
Charter Reviewed by: Unknown
Web Site: N/A
Project Team: UWMC - Janelle Brown, University of Washington (UW) Medical Centers, Executive Director
Compliance - Richard Meeks, UW Medicine Compliance,  Compliance Officer
C&C - Richard Ortiz, Computing & Communications (C&C), Technology Manager
C&C - Sandy Moy, UW C&C, Chief Operating Officer
C&C - User Consulting and AAREQ - Rebekah Skiver
UW Medicine Information Technology Services - Help Desk Manager
C&C - Security Middleware, Project Manager
C&C - UW NetID Service Manager, Zephyr McLaughlin
C&C - Security Middleware - Other Technical Staff
Problem Statement During a review of Account Action Requests (AAREQ) procedures review for compliance with HIPAA, C&C at the request of Human Resources (HR), the Compliance Officer for UW Medicine, and the Attorney General's Office (AGO), it was determined that Section 164.308(a)(3) of the Health Insurance Portability and Accountability Act OF 1996 calls for organizations to implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of HIPAA.

Based on the review results, a working supgroup was established to discuss and forward recommendations on requirements for termination procedures to C&C, UW Medicine, Human Resources and terminating departments at the UW.
Project Description/Narrative: The goal of this project is to develop implementing technical solutions that supported requirements for proposed actions to reduce risk and improve compliance for protected health information (PHI); and by removing employee access to patient information in accordance with UW policy, state and Federal law as quickly as possible.  It is the UW's expectation that employee access to patient information occurs as quickly as possible upon separation from a Health Care component of the UW.

The termination process is primarily owned by the Human Resources components of the University, but since this process primarily affected the University of Washington Medical Centers and Health Sciences departments, the Executive Director for the UWMC and the Compliance Officer for UW Medicine volunteered to move forward with requirements development with input and consulting assistance from Computing and Communications (Chief Operating Officer and the Technology Manager of C&C Information).

Once an approach to separations requirements was developed and agreed upon, the proposed statement on handling terminations/separations was presented to UW Medicine executives.  This group would represent the primary implementation organizations.  The presentation was made and suggestions from this group were incorporated into the requirements statements.

Prior to moving on to the UHR, the C&C representatives requested an informal pre-review of the documentation with the C&C group primarily responsible for making implementing changes to the way accounts were handled during the separation processes -- the Security Middleware group.  The review was somewhat informal, but the responses from the group were represented in the final document that was presented to the University Human Resources Committee (UHR) and included a mock policy statement drafted by Zephyr McLaughlin.

The requirements statements were then reviewed by the UHR Committee.  The UHR group would represent the terminations/separations processes at the upper campus locations; and by doing this review, it would keep consistent best practices across the the University.  The UHR group made suggestions and they were incorporated into the requirements document.

The requirements document approved is:

Account Action Requirements for UW Employees (with special consideration HIPAA protected data)
Assumptions: This project has the following assumptions:
  • UW policy and procedures are in place and available to all employees as a published page on the UW web.
  • An Education Subgroup is in place with a developed plan for distribution and education of the employees that are associated with Health Care components of the UW.
  • A Human Resources Point-of-Contact to answer questions concerning the termination actions.
Specific Objectives:
Develop processes and implement software changes and/or procedures that are included in the Separation Requirements for UW Employees document.  The categories of employees include the following
  1. Separation with no further affiliation
  2. Employee Transfer
  3. Retiree
  4. Student Transfer / Termination
Estimated Start/Completion: Unknown
Task List Plan: To be developed