You’ve got firewalls protecting the network, locks on all the data closets, card key access restrictions to the data center, backups stored offsite, and the latest and greatest antivirus and malware solutions installed.
So where is the weakest link in your security chain?
Typically, it’s your employees!
Despite all the policies, procedures, training, reminders and protections you have in place, they still have a mind of their own, and will short-cut or ignore those safeguards and place EPHI at risk. Most don’t do it intentionally, and some have the attitude that “it won’t happen here… we’re too small… we’re too remote… we’re (insert excuse here)”.
The reality is, access to EPHI must be restricted to only those of your workforce who need it to perform their duties.
Each covered entity (CE) must:
“Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) [Information Access Management] of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.”
In other words, make sure only those employees, contractors, business associates, etc., that need access to EPHI have it, and all others don’t.
So how do you accomplish this?
The first step is to Implement Procedures for Authorization and/or Supervision (an addressable implementation specification): “Implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it may be accessed.”
To do this, you need to start by clearly defining roles and responsibilities for all job functions, and then assign appropriate levels of access for each. You should document who has a business need to view, maintain, retrieve or store EPHI, when they can perform these tasks, and for what purposes. Then document those who have been granted permission to do so.
Procedures need to be created for the authorization of access for new hires to the workforce. Establish the proper chains of command or lines of authority so that all requests for access follow the defined process. Typically this starts with Human Resources. Each request must be documented and approved by the appropriate manager or supervisor.
The same goes for changes to authorizations and access. Too often, this is where many organizations stumble. As an employee changes roles or assume a new position in the organization, their access needs to be reviewed and altered accordingly. It should follow a process similar to new hires, where appropriate review and approval steps are followed and documented prior to access changes being implemented. Many times as employees move from role to role, access is added, but a review of existing authorizations is not done so over time, the employee’s access is not consistent with their role.
You should also Establish a Workforce Clearance Procedure (an addressable implementation specification): “Implement procedures to determine that the access of a workforce member to EPHI is appropriate”. A thorough screening of prospective employees should be conducted for those who will have access to EPHI. Does your organization perform background checks? Do they check employment references and licensing to validate the candidates authenticity? These activities prior to an offer of employment will reduce the likelihood of hiring staff that may put EPHI at risk.
Finally, Establish Termination Procedures (an addressable implementation specification): “Implement procedures for terminating access to EPHI when the employment of a workforce member ends or as required by determinations made as specified in §164.308(a)(3)(ii)(B).” There should be a documented procedure for discontinuing access to EPHI (and all other access) when an employee is no longer part of the workforce. The timing of when access is cutoff may be dependent on the nature of the termination. I would recommend you have separate procedures established for voluntary terminations (change of employment, retirement, promotion, etc.) and for involuntary (termination for cause, layoffs, criminal or disciplinary actions). Include in these procedures steps to recover security related property, such as ID badges, access cards, keys, portable devices (smart phones, laptops), etc., so that future unauthorized access to facilities or systems is not possible.
By following these few steps, you’ll have the peace of mind in knowing there is no weak link in your security.
We’ll bring you more on the HIPAA Rule each week - To get weekly updates subscribe here.