This requirement is one of the HITECH Act provisions. There are four implementation specifications that are associated with the Access Controls standard:
- Unique User Identification (detailed on this page)
- Emergency Access Procedure
- Automatic Logoff
- Encryption and Decryption
Unique User Identification
Each admin user is automatically assigned a unique number for identifying and tracking user identity, actions, and behaviour. Each person must have their own admin account and attached to each admin user must be:
- the user's first and last name
- the user's email address
According to UNIQUE USER IDENTIFICATION (R) -§ 164.312(a)(2)(i):
"Assign a unique name and/or number for identifying and tracking user identity."
Each action, pageview, navigation, data download, data upload, and all other actions or activites taken by admin users is logged to the System Log.
To assist in reviewing and auditing actions taken by admin users, you can use our built-in "Audit Log" tool.
When an admin user logs in, they will receive an email with the details of their login, including time, location, and IP address of the device used to login.
By notifying users when their account has logged in, this helps the user detect if any unauthorized access has occured. For example, if a user receives a notification that their account was logged in to while they were not at a computer, they can help alert that their may have been unauthorized access.
The Kiva Logic software has a feature to enable strong password requirements for admin users. When enabled, strong passwords are required and enforced when creating a new admin user or when an admin user updates their password. A strong password must be at least 8 charecters long and contain:
- at least one number
- at least one lower case letter
- at least one upper case letter
- at least one special charecter, such as '$', '#', '!'
Role Based Access Control
Admin users are granted access to information, reports, and various admin pages based on Roles. The two most commonly used admin Access Levels in HIPAA applications are:
Orders & Delivery Pages
This admin type has access only to the Delivery page, which allows for downloading of shipping and packing labels, and the Orders. They are restricted from being able to access any other admin pages/actions/functions.
The "Cust Service" admin type only has access to the 'Customers' page, and the ability to view individual customer accounts. In addition, using the 'Attach admin ID to customer' feature allows the "Cust Service" admin type to view only the customers that they have personally entered into the system. The are prevented from seeing any customer accounts that they themselves did not enter into the system.