What is the HIPAA Security Rule Workforce Security Standard?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

What is the HIPAA Security Rule Workforce Security Standard?
One of the HIPAA Security Rule administrative safeguards is the workforce security standard, found at 45 CFR 164.308(a)(3).

Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under the Information Access Management Standard, and to prevent those workforce members who do not have access under the Information Access Management standard from obtaining access to electronic protected health information.

This standard comes with three implementation specifications. Implementation specifications are the measures that must be implemented to meet the standard. The implementation specifications, all addressable, are: 

(ii) Implementation specifications:

(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

(B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

(C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified by the workforce clearance procedure mentioned immediately above.

Let’s discuss each of these three items in turn.

1. Authorization and/or supervision:
To ensure that workforce members have appropriate access to ePHI, an organization can maintain documentation containing:

1. Employee names

2. Employee job descriptions

3. The appropriate level of access to which each employee has been given, based on the requirements of their job role. 

In addition to maintaining documentation, an organization should also make its workforce members aware of the identity, roles, and responsibilities of their supervisors. This is necessary to ensure that workforce members will know who supervises them with respect to their work with ePHI, and who supervises them in the locations where they might access that PHI.

An organization should follow the “least privilege” rule with respect to ePHI. Under the least privilege rule, only workforce members who require access to ePHI should be granted that access, and, the level of access they should be granted should be the minimum amount of access necessary for them to perform their job roles and responsibilities.

An organization’s ensuring appropriate access to ePHI is not a static process. If a workforce member no longer requires access, or their job role has changed such that modified access is required, the organization should conduct the necessary processes to terminate or modify access. This process is typically conducted by a supervisor or the organization’s Security Official.

Just as existing workforce members should not have access to PHI when such access is not (or is no longer) required, so, too, should an organization determine what access is appropriate before an employee begins work with an organization. This determination may be made by the Security Official, in consultation with supervisors and other personnel as needed. The determination as to what level and amount of access is appropriate, and for what purpose access is being granted, should be formally written and documented.  An organization should provide (and maintain) formal and written documented authorization before granting access to ePHI. This authorization can be periodically consulted to determine whether adjustments to access leves are required.

An organization may use the following procedures to authorize, supervise, and monitor which workforce members are authorized to work with ePHI:

1. Determine, for each workforce member, the appropriate access level.
2. Maintain a list, which details the level of authorization for each workforce member.
3. Assign a unique name or number for identifying and tracking the identities of network computer users
     A. Obtain management approval before assignment of users or logon accounts.
4. Require all users to work from standard user level accounts. This requirement should extend to administrative personnel. Escalate privileges to install apps or modify the system.
5. Tran all workforce members regarding their individual appropriate access authorizations, including on what such authorizations permit, and what such authorizations prohibit.

Security Awareness Prior to Granting Access:

Before an organization grants Access to any of the various systems or applications that contain ePHI, it should train workforce members on security awareness. Topics to be covered  include:

1. Proper uses and disclosures of the ePHI stored in systems or application(s);

2. How to properly log on and log off the systems or application(s);

3. Protocols for correcting user errors (i.e., inadvertent alteration or destruction of ePHI);

4. Instructions on contacting a designated person or help desk when ePHI may have been altered or destroyed in error; and

5. Reporting a potential or actual security breach.

An organization should also, prior to granting access, inform workforce members that access to information systems and application may be revoked or suspended, consistent with the organization’s privacy and security policies and practices, if it has been determined that a workforce member has engaged in unauthorized access. 

2. Workforce Clearance Procedure
Workforce clearance procedures may consist of the following:

1. Screening of workforce members prior to granting access to ePHI. Here, supervisors and security officials ensure that information access is only granted after first verifying that the access of a workforce member to ePHI is necessary and appropriate.

2. Training of workforce members on the organization’s HIPAA Privacy and Procedure Manual and HIPAA Security Policy and Procedure Manual.

3. Prior to, and as a prerequisite to, being issued a User ID or logon account to access any ePHI, workforce members should sign the organization’s Confidentiality Agreement, and thereafter should comply with the organization’s security policies and procedures.
   
   
    

Security Officials and supervisors have important roles to play with respect to workforce clearance procedures. The Security Official can establish and ensure a periodic review of (and update as necessary) access authorization levels and personnel clearance levels, to ensure that the access of a workforce member to ePHI is appropriate.

The Security Official may also, when adding, modifying, or terminating security clearance access, update the personnel clearance and access authorization levels accordingly.
The supervisor can notify workforce members of any changes to their access or clearance levels.

3. Workforce termination procedures
Workforce termination procedures are procedures for the termination of a workforce member’s access to ePHI when that person’s employment (or other arrangement with the organization) ends; or, when the organization determines that is not (or is no longer) appropriate for that workforce member to have access to ePHI.

There are circumstances under which termination of access should be required, meaning department members or their designated representatives must terminate a workforce member’s access to ePHI. These circumstances include:

1. If management has evidence or reason to believe that the user is using information systems or resources in a manner inconsistent with the organization’s HIPAA Security Rule policies and procedures, or the organization’s Privacy Rule policies and procedures.
2. If the workforce member or management has evdence or reason to believe that the user’s password has been compromised.
3. If the user resigns, is terminated, suspended, retires, or is absent on unapproved leave.
4. If the user’s job description or role has changed and system access is no longer justified under the new job role or description.

What are Specific Termination Procedures?
Specific termination procedures may include:

1.  Physical security measures, if any, including retrieving keys and pass cards, and changing locks.
2. Deactivation of computers and other electronic tools.
3. Deactivation of access accounts.
4. Disabling of users and passwords.
5. FIlling out and completion of an employee termination checklist. The checklist should be completed each time that an employee separates from the organization. Checklist items should include at least the following:
A. Return of all access devices.
B. Deactivation of logon accounts, including remote access
C. Return of any computers and other similar electronic tools, devices, or media, such as tablets or cell phones.
D. Delivery of any data/information in the workforce member’s possession and control to the organization.

An organization should document its termination procedures and measures.