|
SAMPLE SECURITY RULE IMPLEMENTATION
GUIDELINE
|
Regulation:
HIPAA Security Rule: Workforce Security §
164.308(a)(3)(i)
Overview: Workforce
Security involves implementing policies and procedures to permit or deny access
by the entity's workforce to electronic protected health information. Each
covered entity must establish a personnel security clearance process to
administratively determine that persons and computers are trustworthy before
giving them access to protected health information. This process must account
for, and document, access granted to individuals, programs, and procedures. The
process must also address persons who fill roles where incidental access to
protected health information may occur, such as computer technicians and
maintenance personnel. Supervision of uncleared or unauthorized personnel, such
as computer technicians and maintenance personnel, is necessary unless their
access to protected health information can be precluded. Awareness training on
these policies and procedures is required both for those who are cleared for
and given access and those who have incidental access including such
individuals as computer technicians and maintenance
personnel.
Implementation
Guideline:
This standard is
implemented by three "addressable" implementation specifications which
include:
- Authorization and/or supervision (Addressable):
implement procedures for the authorization and/or supervision of workforce
members who work with electronic protected health information (PHI) or in
locations where it might be accessed;
- Workforce clearance procedure (Addressable):
implement procedures to determine that the access of a workforce member to
electronic PHI is appropriate; and
- Termination procedures (Addressable): implement
procedures for terminating access to electronic PHI when the employment of a
workforce member ends or as required by workforce clearance procedures.
Considerations:
- Consider establishing written personnel clearance
procedures for determining the appropriateness of access to protected health
information, computers or systems.
- Consider ensuring that computer and system users,
technical support personnel, service providers, vendors and staff receive
security awareness training.
- Consider ensuring that maintenance and vendor
personnel are supervised when working on or near protected health
information.
- Considering conducting records checks on applicants
for employment, including residence, employment, criminal history, and
education, when job requires access to protected health information. Note:
DHHS indicated that there is no absolute requirement for background checks, but
that some personnel screening process is required, ranging in stringency based
on the entity's risk analysis.
- Considering requiring workforce, staff and
maintenance/vendor employees to sign non-disclosure statements before being
given access to protected health information.
- How closely must maintenance personnel, vendors,
visiting business associates, and service providers be supervised?
- How often should procedures, instructions, and
levels of access be reviewed?
- How broad, or how specific, should security
training be? What should it cover?
- How often should security training be repeated for
employees?
- How often should security training be repeated for
vendors and other service providers?
- The personnel clearance process is an
administrative determination of trustworthiness. A nominal records check should
ascertain that an individual is not falsifying identity, previous employment or
education, or any professional certifications. Additionally, any potentially
disqualifying criminal activity should be discovered. Federal criminal records
are centralized in the FBI database, but state and local records are largely
unlinked. It is therefore necessary to determine where individuals have resided
in order to check state and local criminal records in disparate jurisdictions.
Arrest and conviction data is public information and available on request.
|
