(a) A covered entity must, in accordance with § 164.306:
(3)(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.
Tell Me More:
The Workforce Security standard requires covered entities to implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information (ePHI).
This standard addresses requirements for a covered entity’s workforce in terms of individual access to sensitive information. This area includes the following implementation specifications:
• Authorization and/or supervision
• Workforce clearance procedure
• Termination procedures
This standard will result in assurances that all personnel with access to electronic PHI have the required access authority as well as the appropriate clearances.
The rigor with which an organization implements procedures for authorization and/or supervision of workforce members is left up to each entity. The regulation encourages organizations to conduct a risk analysis to determine the at-risk areas in the organization.
The purpose of termination procedure documentation under this standard is not to detail when or under which circumstances a workforce member should be terminated. This information would more appropriately be part of the entity’s sanction policy. The purpose of termination procedure documentation is to ensure that termination procedures include security-unique actions to be followed, for example, revoking passwords and retrieving keys when a termination or reassignment with different access privileges (for example from clinical to non-clinical, etc) occurs.
The Final Security Rule is committed to the principle of technology neutrality due to the fact that rapidly changing technology makes it impractical and inappropriate to name a specific technology. Therefore, it is deemed much more appropriate for the final rule to state a general requirement for Workforce Security when necessary and depend on covered entities to specify technical details.
Best Practices, as well as the final Security Rule, include all workforce members despite their location. For instance, telecommuters, the virtual workforce and mobile workforce must be included in the maintenance of current authorization and clearance lists.