(ii) Implementation specifications:
(B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
Tell Me More:
Based upon results of your risk analysis your organization may need to assure that personnel are granted access to health information only after receiving appropriate clearances. This is important to prevent unnecessary or inadvertent access to secure information. The covered entity should employ personnel clearance procedures prior to hiring. This could consist of standardized personnel and professional reference checks.
The objective of the Workforce Clearance Procedure implementation specification is to implement procedures to determine that the access of a workforce member to electronic protected health information (EPHI) is appropriate.
Covered entities need to implement procedures to determine that the access of a workforce member to electronic PHI is appropriate. The need for and extent of a screening process is normally based on an assessment of risk, cost, benefit and feasibility as well as other protective measures in place. Effective personnel screening processes may be applied in a way to allow a range of implementation, from minimal procedures to more stringent procedures based on the risk analysis performed by the covered entity.
This is an addressable implementation specification because, for example, a personnel clearance procedure may not be reasonable or appropriate for a small provider whose only assistant is his or her spouse. The implementation specification is not mandatory, but must be addressed.
Questions to consider:
- Are checks on permanent staff carried out before hiring? If not, consider implementing such checks, particularly for individuals with access to sensitive information.
- Are checks on temporary staff carried out either by contract with the temporary staffing agency or by the covered entity prior to allowing access to ePHI and other PHI? It may be necessary to change staffing agencies or alter the contract with a staffing agency to ensure this is done. [Note: Temporary staff includes students, staff augmentation, volunteers, credentialed providers who are not employees of the organization, etc.]
- Are employees asked to sign confidentiality or non-disclosure agreements as a part of the terms and conditions of employment? This may occur in conjunction with HIPAA training.
- NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems