This article describes the HIPAA workforce security requirements for restricting access to protected health information. The relevant subsection of the HIPAA law is §164.308(a)(3).
Section §164.308 of the Health Insurance Portability and Accountability Act describes the required administrative safeguards for covered entities. This article explores section §164.308(a), which deals with ensuring that workforce members have appropriate (yet limited) access to protected health information.
HIPAA Workforce Security
“Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.” [§164.308(a)(3)]
This could be called the “need to know” rule. A covered entity is responsible for restricting access to protected health information to only those workforce members who require it. However, all of the implementation specifications for this rule are deemed addressable. This means that the covered entity can assess whether or not the specification is a reasonable and appropriate safeguard. If it is not, then the covered entity must create formal documentation of why it is not applicable and what equivalent alternative measures are used to meet the standard.
Authorization and Supervision
Workforce members who access protected health information must be appropriately authorized and supervised. To verify this rule is implemented, an auditor will inquire whether policies that outline authorization levels and supervision requirements for access to protected health information exist. The auditor will also examine an organizational chart or other equivalent document to determine that lines of authority exist for enforcing these access rules.
Workforce Clearance Procedure
Anyone accessing protected health information must have a business need to do so and be qualified to handle that information. To verify this rule is implemented, an auditor will obtain and review formal documentation of the policies that enforce this standard, including what access levels have been established for access to protected health information, the procedures for granting access rights, and how workforce members are evaluated for the appropriate qualifications for access.
Access to protected health information must be revoked when it is no longer needed. Such situations could include an employee leaving the organization, being promoted, or being reassigned to a different project in which the protected health information access is no longer required. To verify this rule is implemented, an auditor will inquire whether there are policies in place to deal with termination of access to protected health information. There must also be policies for recovering or deactivating portable devices which may contain data (such as laptops and tablets), and devices which may grant access to data, such as cryptographic tokens and employee badges. Additionally, an auditor will obtain and review formal policy documents containing the procedures for terminating access to protected health information, as well as review evidence of monitoring to determine that access is terminated in a timely fashion.
Changes in the 2013 HIPAA Update
The language in the Termination Procedures section [§164.308(a)(3)(II)(C)] was updated to reflect that termination procedures must exist not only for employees, but all workforce members of a covered entity or a business associate. No other changes to the workforce security requirements appeared in the 2013 HIPAA Omnibus Rule.
Limiting access to protected health information (PHI) is a crucial part of HIPAA compliance. By restricting access to PHI, the likelihood of a breach is reduced. HIPAA workforce security can be increased through technical means as well as policies and education. Restricting access to PHI with formalized, documented policies and practices is a necessary step in becoming HIPAA compliant.
This article has been cross-posted from the Gemini Security Solutions website.