sponsibility for granting or denying access privileges is assigned to information systems personnel, human resources personnel, supervisors, others appointed by management, or some combination of the above.

The structure for granting access privileges may be centralized or distributed. In a centralized model, information systems personnel usually grant the privileges approved by others. The advantage of this approach is that workers in the information systems department understand system requirements and the levels of access defined for various user roles; they are centrally located and easily contacted. The disadvantage is that they may not understand requests that stray from standard guidelines. Similarly, human resources personnel are responsible for administering new hires, transfers, and terminations and need to be closely involved in granting access privileges, but they are not close enough to the practical needs of health care providers to appraise unusual, but legitimate, requests for access.

Several sites used a more distributed model. In one instance, corporate vice presidents assigned authority to supervisors or department heads in various areas to grant access to particular databases or applications. Employees requested access privileges from the relevant authority and demonstrated their need to know. Supervisors understood job responsibilities (and, in fact, assigned them) that crossed standard rolebased access privileges and, thus, were able to evaluate the request. In emergency situations, workers could be granted access to clinical systems from a head nurse. This model has the advantage of assigning responsibility for certain sets of data to the employees most likely to understand legitimate requests for access. Having a variety of access granters helps ensure that someone will be readily available in all but the most unusual circumstances. A disadvantage that may be demonstrated is a lack of coordination among access granters that can lead to the system being vulnerable to nontechnical activities undertaken by individuals with an intent to deceive. For example, unless the access granter is scrupulous about checking the legitimacy of requests, someone may pretend to need access when, in fact, no real need exists.

Another site used a decentralized system of data stewards and custodians. Data stewards are responsible for particular data sets. They are typically department heads, division chairs, or principal investigators on research projects who are knowledgeable about the content of the data sets and can make appropriate decisions about its protection. Data stewards are formally charged to (1) recommend mechanisms and practices for protecting the data; (2) communicate control and protection requirements to data custodians (see description below) and system users; (3) coordinate with the information systems department to authorize access to particular sets of data (e.g., laboratory results or surgical notes);

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement