WORKFORCE SECURITY
POLICY # 7
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement policies and procedures to ensure that all members of its
workforce have appropriate access to electronic protected health
information, as provided under paragraph (a) (4) of this section, and to
prevent those workforce members who do not have access under
paragraph (a) (4) of this section from obtaining access to electronic
protected health information.”
Policy Summary:
Sindecuse Health Center (SHC) must prevent unauthorized access to
information systems containing EPHI. Only properly authorized
workforce members must be provided this access. The type and extent of
access authorized to SHC information systems containing EPHI must be
based on a risk analysis. Access to SHC information systems containing
EPHI must be granted only to properly trained SHC workforce members
who have a need for EPHI in order to accomplish a legitimate task.
Purpose:
This policy reflects SHC’s commitment to allow access to information
systems containing EPHI only to workforce members who have been
appropriately authorized. The type and extent of access authorized to
SHC information systems containing EPHI must be based on risk
analysis.
Policy:
1. SHC must protect the confidentiality, integrity, and availability of its
information systems containing EPHI by preventing unauthorized access
while ensuring that properly authorized workforce member access is
allowed.
2. Access to SHC information systems containing EPHI must be granted
to only to workforce members who have been properly authorized.
3. The type and extent of access to SHC information systems containing
EPHI must be based on risk analysis. At a minimum, the risk analysis
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
WORKFORCE SECURITY
must consider the following factors:



The importance of the applications running on the information
system
The value or sensitivity of the EPHI on the information system
The extent to which the information system is connected to other
information systems
4. Access to SHC information systems containing EPHI must be
authorized only for properly trained SHC workforce members having a
legitimate need for specific information in order to accomplish job
responsibilities. All such access must be defined and documented. Such
access must be regularly reviewed and revised as necessary.
5. Access to SHC information systems containing EPHI must be
established via a formal, documented process. At a minimum, this
process must include:





Identification and definition of permitted access methods
Identification and definition of how long access will be granted
to user
Procedure for granting a workforce member an access method
(e.g. password or token) or changing an existing access method
Procedure for managing access rights in a distributed and
networked environment
Appropriate tracking and logging of actions by authorized
workforce members on SHC information systems containing
EPHI
6. SHC workforce members must not attempt to gain access to SHC
information systems containing EPHI for which they have not been given
proper authorization.
7. As defined in SHC’s Authorization and/or Supervision policy, SHC
must ensure that all workforce members who have the ability to access
SHC information systems containing EPHI are appropriately authorized
or supervised.
8. As defined in SHC’s Workforce Clearance policy, SHC workforce
members must be adequately screened during the hiring process,
including background checks.
9. As defined in SHC’s Termination Procedures policy, SHC must
create and implement a formal, documented process for terminating
access to EPHI when the employment of a workforce member ends.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
WORKFORCE SECURITY
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
Standard
Regulatory
Reference:
45 CFR 164.308(a)(3)(i)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
WORKFORCE SECURITY
Availability means the property that data or information is accessible and
useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made
available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been
altered or destroyed in an unauthorized manner.
Risk analysis means a systematic and analytical approach that identifies
and assesses risks to the confidentiality, integrity or availability of a
covered entity’s EPHI. Risk analysis considers all relevant losses that
would be expected if specific security measures protecting EPHI are not
in place. Relevant losses include losses caused by unauthorized use and
disclosure of EPHI and loss of data integrity.
Responsible
Department:
Information Systems
Administrative Office
Policy Authority/
Enforcement:
SHC’s Security Officer is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Authorization and/or Supervision
Workforce Clearance Procedure
Termination Procedures
Access Control
Information Access Management
Access Authorization
Access Establishment and Modification
Facility Access Controls
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.