FacebookTwitterLinkedInEmailPrint
This entry is part 49 of 59 in the series Complete Guide to HIPAA Security Final Rule

(ii) Implementation specifications:

 (B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

Tell Me More:

Based upon results of your risk analysis your organization may need to assure that personnel are granted access to health information only after receiving appropriate clearances. This is important to prevent unnecessary or inadvertent access to secure information. The covered entity should employ personnel clearance procedures prior to hiring. This could consist of standardized personnel and professional reference checks.

The objective of the Workforce Clearance Procedure implementation specification is to implement procedures to determine that the access of a workforce member to electronic protected health information  (EPHI) is appropriate.

Covered entities need to implement procedures to determine that the access of a workforce member to electronic PHI is appropriate. The need for and extent of a screening process is normally based on an assessment of risk, cost, benefit and feasibility as well as other protective measures in place. Effective personnel screening processes may be applied in a way to allow a range of implementation, from minimal procedures to more stringent procedures based on the risk analysis performed by the covered entity.

This is an addressable implementation specification because, for example, a personnel clearance procedure may not be reasonable or appropriate for a small provider whose only assistant is his or her spouse. The implementation specification is not mandatory, but must be addressed.

 Questions to consider:

  • Are checks on permanent staff carried out before hiring? If not, consider implementing such checks, particularly for individuals with access to sensitive information.
  • Are checks on temporary staff carried out either by contract with the temporary staffing agency or by the covered entity prior to allowing access to ePHI and other PHI? It may be necessary to change staffing agencies or alter the contract with a staffing agency to ensure this is done. [Note: Temporary staff includes students, staff augmentation, volunteers, credentialed providers who are not employees of the organization, etc.]
  • Are employees asked to sign confidentiality or non-disclosure agreements as a part of the terms and conditions of employment? This may occur in conjunction with HIPAA training.

 

References:

Series Navigation<< 164.312(e)(2)(ii) Standard: Transmission security – Encryption164.308(a)(4)(ii)(A) Standard: Information access management – Isolating Health Care Clearinghouse Functions >>

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.
 
FacebookTwitterLinkedInEmailPrint