Policies help ensure workforce member security.
|By: Tod Ferran|
It’s common knowledge in the security industry that humans, not faulty technology, are at the root of most data breaches. People are fallible. They trust too much. They forget. They feel vindictive when fired. They don’t know the latest security
If your people are just human, how are you supposed to protect patient data?A great starting point is workforce member training, but let’s not get ahead of ourselves. The step before training is having updated workforce member policies. After all, if you don’t have a HIPAA security policy that documents what information employees have access to, how are you supposed to train your employees to protect it?
Get a free HIPAA compliance dashboard demo.
What do HIPAA regulations say about workforce security policies?HIPAA regulation §164.308(a)(3) specifically states that healthcare covered entities must “implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information … and prevent those workforce members who do not have access … from obtaining access to electronic protected health information.”
The requirement to have a workforce security policy helps ensure that all members of your workforce have appropriate access to patient health information and can help prevent unauthorized workforce members from gaining access.
To comply with this requirement correctly, you should document which employees have access to patient data, what permissions they have, and what happens if they are terminated or change job roles. Controlling and documenting PHI access will take some work.
In an effort to help you comply with HIPAA regulation, we are offering a free downloadable HIPAA security policy template!
It’s important that workforce members only have the appropriate, limited access to protected health information. This is called role-based PHI access. For example, a doctor should have a higher level of permissions to access patient data than, say, a receptionist.
To be most effective, your workforce security policy should probably include descriptions on what happens to workforce member PHI permissions in instances of:
- Changing roles
- New hires
When implementing your policy, documenting employee roles, and preparing your organization for a better workforce security procedures, ask yourself:
- Where does your organization currently stand with workforce member security?
- What are the different roles at your organization?
- What differences exist in the roles and how much access do they currently have to patient data? (How much access do they really need to perform their job role?)
- When was the last time employees were trained on the HIPAA Security Rule? (Think small, easy to remember chunks.)
- What are your ultimate HIPAA goals?
- Does your organization need assistance becoming HIPAA compliant?
- Do you really understand the risks associated with insecurity and non-compliance? (Average cost is $359 for each record lost!)
- What is your budget for HIPAA compliance, including workforce member training?
Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.