MSP Policy: Remote Desktop User Access Authorization

Policy Name: Remote Desktop Access Authorization and Documentation Policy
Effective Date: [Insert Date]
Applies To: All MSP Personnel, Client Organizations, and Authorized Remote Desktop Users

Purpose

The purpose of this policy is to establish a secure and compliant process for granting Remote Desktop (RDP) access to client systems. This policy ensures proper authorization, documentation, and compliance with HIPAA and other applicable security requirements.

Policy Statement

Remote Desktop access shall only be granted upon receipt of a documented request from an authorized client representative. All access requests must be properly verified, documented, and retained to provide a complete audit trail.

Verbal requests alone are not sufficient and will not be accepted under any circumstances.

Authorized Requestors

Remote Desktop access requests may only be submitted by:

• Practice Owner
• Office Manager (Approved by Owner)
• Authorized Management Personnel listed on the client's approved contact forms

Staff members, employees, contractors, or end users may not request remote access directly.

Any request received directly from a staff member must be referred to an authorized manager for approval before processing.

Required Documentation

For HIPAA compliance and security auditing purposes, all requests must be documented through one of the following methods:

• Email from an authorized requestor
• Text message from an authorized requestor
• Written request submitted through an approved ticketing system

Verbal authorization provided by phone or in person is not acceptable as the sole form of authorization.

A documented paper trail must exist before access is granted.

Required Information

All access requests must include the following information:

1. Full Legal Name of User
2. Email Address
3. Mobile Phone Number
4. Devices or Systems Requiring Access
   • Workstation Name(s)
   • Server Name(s)
   • Application Server(s)
   • Other designated devices

Requests missing any required information shall be returned for completion.

Verification Procedure

Before granting access, MSP personnel must:

Step 1: Review Authorized Contacts

• Verify the requestor is listed on the client's current management or authorized contact form.
• Confirm the requestor has authority to approve remote access.

Step 2: Validate Documentation

• Ensure the request was received via email, text message, or approved ticketing platform.
• Attach all supporting documentation to the service ticket.

Step 3: Review User Information

Confirm all required information has been provided:

• Full Name
• Email Address
• Mobile Number
• Device(s) requiring access

Step 4: Document Authorization

Record the following in the service ticket:

• Date and time of request
• Requestor's name
• Authorization method (email, text, ticket)
• User information
• Systems authorized
• Technician processing the request

Escalation and Fraud Prevention

If any of the following conditions exist:

• The requestor is not listed as an authorized manager.
• The request appears suspicious or inconsistent.
• The technician is uncertain of the request's legitimacy.
• Contact information does not match records.
• The request originates from an unknown source.

The technician must:

1. Stop processing the request immediately.
2. Contact the Practice Owner and/or Management by phone using a known phone number on file.
3. Independently verify the authorization.
4. Document the verification conversation in the service ticket.

No access shall be granted until verification is completed.

HIPAA Compliance Requirements

To maintain HIPAA compliance:

• All access authorizations must be retained within the ticketing system.
• Documentation must be stored according to the MSP's retention policy.
• Access records must be available for audit and compliance reviews.
• Verbal approvals without written documentation are prohibited.
• All remote access permissions must be granted using the principle of least privilege whenever possible.

Record Retention

The following records must be maintained:

• Authorization emails
• Text message screenshots or exports
• Service ticket notes
• Verification records
• Access provisioning documentation

Records shall be retained in accordance with the MSP's document retention and HIPAA compliance requirements.

Policy Enforcement

Failure to follow this policy may result in:

• Delayed access provisioning
• Security incidents
• HIPAA compliance violations
• Internal disciplinary action

All MSP personnel are responsible for ensuring this policy is followed before granting any Remote Desktop access.

Standard Authorization Statement

Remote Desktop access requests must be submitted by the Practice Owner, Physician, Office Manager, or other authorized management personnel. Requests must be documented via email, text message, or approved ticketing system and must include the user's full name, email address, mobile number, and devices requiring access. Verbal requests will not be accepted. If authorization cannot be verified or appears suspicious, MSP staff must contact the Practice Owner or Management by phone using known contact information before granting access. Staff members are not authorized to request Remote Desktop access directly.