FacebookTwitterLinkedInEmailPrint
This entry is part 32 of 59 in the series Complete Guide to HIPAA Security Final Rule

(a) A covered entity must, in accordance with § 164.306:

(3)(i) Standard: Workforce security.  Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

Tell Me More:

The Workforce Security standard requires covered entities to implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information (ePHI).

This standard addresses requirements for a covered entity’s workforce in terms of individual access to sensitive information. This area includes the following implementation specifications:

• Authorization and/or supervision

• Workforce clearance procedure

• Termination procedures

This standard will result in assurances that all personnel with access to electronic PHI have the required access authority as well as the appropriate clearances.

The rigor with which an organization implements procedures for authorization and/or supervision of workforce members is left up to each entity.  The regulation encourages organizations to conduct a risk analysis to determine the at-risk areas in the organization.

The purpose of termination procedure documentation under this standard is not to detail when or under which circumstances a workforce member should be terminated. This information would more appropriately be part of the entity’s sanction policy. The purpose of termination procedure documentation is to ensure that termination procedures include security-unique actions to be followed, for example, revoking passwords and retrieving keys when a termination or reassignment with different  access privileges (for example from clinical to non-clinical, etc) occurs.

The Final Security Rule is committed to the principle of technology neutrality due to the fact that rapidly changing technology makes it impractical and inappropriate to name a specific technology. Therefore, it is deemed much more appropriate for the final rule to state a general requirement for Workforce Security when necessary and depend on covered entities to specify technical details.

Best Practices, as well as the final Security Rule, include all workforce members despite their location.  For instance, telecommuters, the virtual workforce and mobile workforce must be included in the maintenance of current authorization and clearance lists.

Series Navigation<< 164.310(a)(2)(ii) Standard: Facility access controls – Facility security plan164.310(a)(2)(iv) Standard: Facility access controls – Maintenance records >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.
 
FacebookTwitterLinkedInEmailPrint