Internal HIPAA-required policy. HIPAA reference: § 164.308(a)(3), (a)(4), (a)(5).
1. Onboarding
- Workforce member completes HIPAA training before any PHI access is granted.
- Manager submits an access request specifying role + access policy.
- Security Officer (or delegate) reviews and approves.
- Account is created with the minimum-necessary access for the role.
- Access is recorded in the user audit log.
2. Modification
- Role changes require a new access request from the new manager.
- Old role is revoked at the same time the new role is granted.
- Both events are audit-logged.
3. Termination
- HR notifies Security Officer at the moment of termination (voluntary or involuntary).
- All sessions are revoked within 1 hour.
- Account is deactivated; data is retained per the Privacy Policy retention schedule.
- Hardware is recovered + sanitized per the Physical Safeguards Policy.
- Termination event is audit-logged.
4. Quarterly review
- Security Officer reviews the full user list every quarter.
- Inactive accounts (no login in 90 days) are deactivated.
- Roles are confirmed against current job duties.
- Review snapshot is retained for 6 years.
5. Break-glass emergency access
- Approved only in active incident response scenarios.
- Requires Security Officer authorization in advance.
- All break-glass sessions are flagged in the audit log.
- Reviewed within 1 business day of use.