The Workforce security Standard has 3 separate Implementation Specifications, all of which are addressable:

  • Authorization and/or supervision

  • Workforce clearance procedures

  • Termination procedures

This Standard involves the process for granting and denying access to EPHI, including implementing policies and procedures to ensure that staff have only appropriate access to EPHI and to prevent those who don't have access from obtaining access.

11.5.1 Authorization and/or Supervision

The first of the three separate Implementation Specifications in the Workforce Security Standard is Authorization and/or Supervision, an addressable requirement of the HIPAA Security regulations.

The implementation specification suggests procedures for supervision and/or authorization of workers when they are working with EPHI or in locations of EPHI. Comments in the final security rule suggest this should be done by a 'knowledgeable' person, and this has been made addressable because at some locations this person may not be available. For this and any addressable implementation specification, document your decision for addressing this issue and the policy that comes from this decision.

11.5.2 Workforce Clearance Procedures

The second of the three Implementation Specifications of the Workforce Security standard, also addressable, are the Workforce Clearance Procedures.

It's suggested the covered entity implement procedures to determine that the access of a worker to EPHI is appropriate. Comment sin the final rule state this is not a requirement for background checks on a covered entity's staff.

Determining what is 'appropriate' is probably a subjective decision based upon each staff member's function. Each Department Manager within a covered entity needs to review what each staff member is allowed to view or access to make this determination. This implementation specification is made addressable because it may not be appropriate for a small provider ( physician , clinic, etc.) whose assistant may be a spouse or other close relative. Again, you should document your decision for addressing this issue and the policy that comes from this decision.

11.5.3 Termination Procedures

The last required Implementation Specification in the Workforce security standard are Termination Procedures.

The covered entity should implement procedures for terminating access to EPHI when a worker's employment ends. Procedures should include security-unique actions, such as revoking passwords, retrieving keys, etc.

It is advisable to take these security steps prior to discharge if appropriate, immediately upon resignation , and review potential risk upon someone giving their two-week notice.

A good policy would be for Managers who plan to terminate a staff person, or who are notified of someone quitting, to notify there IS/IT staff or whoever control access to the network, to remove login rights, disable accounts, change passwords, or other appropriate security steps.

HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
Year: 2003
Pages: 181

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net