HIPAA security policy template

Policies help ensure workforce member security.

Tod Ferran, SecurityMetrics
By: Tod Ferran
According to The Ponemon Institute, 91% of healthcare organizations have had one or more breaches in the last two years. Part of healthcare’s tendency of insecure operations is due to employees. Yes, your workforce is your strongest asset when it comes to patient care, but it’s also your weakest link when it comes to patient data security.

HIPAA security policy templateIt’s common knowledge in the security industry that humans, not faulty technology, are at the root of most data breaches. People are fallible. They trust too much. They forget. They feel vindictive when fired. They don’t know the latest security
You get the picture.

If your people are just human, how are you supposed to protect patient data?
A great starting point is workforce member training, but let’s not get ahead of ourselves. The step before training is having updated workforce member policies. After all, if you don’t have a HIPAA security policy that documents what information employees have access to, how are you supposed to train your employees to protect it?

Get a free HIPAA compliance dashboard demo.

What do HIPAA regulations say about workforce security policies?

HIPAA regulation §164.308(a)(3) specifically states that healthcare covered entities must “implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information … and prevent those workforce members who do not have access … from obtaining access to electronic protected health information.”

The requirement to have a workforce security policy helps ensure that all members of your workforce have appropriate access to patient health information and can help prevent unauthorized workforce members from gaining access.

To comply with this requirement correctly, you should document which employees have access to patient data, what permissions they have, and what happens if they are terminated or change job roles. Controlling and documenting PHI access will take some work.

In an effort to help you comply with HIPAA regulation, we are offering a free downloadable HIPAA security policy template!

It’s important that workforce members only have the appropriate, limited access to protected health information. This is called role-based PHI access. For example, a doctor should have a higher level of permissions to access patient data than, say, a receptionist.

To be most effective, your workforce security policy should probably include descriptions on what happens to workforce member PHI permissions in instances of:
  • Termination
  • Changing roles
  • New hires
If you need more than just a Workforce Security Policy, check out the rest of our HIPAA policies designed specifically for small to medium healthcare providers.

HIPAA security policy Policies and training: better together

Remember, a policy is only as good as its implementation within your organization. It does no good to have a policy that sits on the shelf. Policies and security training go hand in hand. The policies offer the documentation and rules, and the training helps employees remember the information contained in the policies. For best results, I recommend scheduling short regular trainings at least on a monthly basis. You are much better served doing a 15 minute training each month than a 2 hour training once a year.

When implementing your policy, documenting employee roles, and preparing your organization for a better workforce security procedures, ask yourself:
  • Where does your organization currently stand with workforce member security?
  • What are the different roles at your organization?
  • What differences exist in the roles and how much access do they currently have to patient data? (How much access do they really need to perform their job role?)
  • When was the last time employees were trained on the HIPAA Security Rule? (Think small, easy to remember chunks.)
  • What are your ultimate HIPAA goals?
  • Does your organization need assistance becoming HIPAA compliant?
  • Do you really understand the risks associated with insecurity and non-compliance? (Average cost is $359 for each record lost!)
  • What is your budget for HIPAA compliance, including workforce member training?
Don’t forget to download your free HIPAA security policy template before you leave.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.