As described in the Agreement, access to DHE enterprise data is time-bound based on the lesser of the requestor’s continued need in their approved use case(s) or 365 calendar days from access being granted. Access can be renewed by supplying evidence of continued need as an update to an approved use case. To mitigate the risk of gaps in access for users who need additional time, active users will receive a reminder via email 11 months into their current access period. In the event of a job or role change or of completion of their work on their approved use case(s), users will notify the program within 30 days of the change so that access may be terminated expeditiously. Renewal is also contingent upon demonstrating appropriate maintenance of required skills.
As described in the Agreement, users agree to describe their intended use of the data accessed via their SQL code, and to limit their use of direct SQL access to these approved use cases. HIPAA requires that Duke have in place mechanisms to limit users’ access to data that is “minimally necessary” for the user to accomplish their approved use case goals. These mechanisms include policy and technology controls, as well as usage monitoring. Users should note that their direct SQL-related activity is logged and subject to periodic audit. Users found to be out of compliance will be subject to suspension of their access and other users in the department may become subject to additional scrutiny.