Hello and welcome back. This week we continue our discussion of HIPAA compliance with the workforce security requirement. Section 164.308(a)(3) of the HIPAA security rule requires covered entities to “implement policies and procedures to ensure that all members… have appropriate access to protected health information… and to prevent those workforce members who do not have access… from obtaining access…” We will look at three of the requirements here: limited access using role-based access controls, supervision procedures to check up on your employees, and termination procedures that will protect your systems when you must dismiss an employee.

First, make a list of your employees and determine their job function. Role-based access control is the best approach for determining what data your employees need to know. Think about the different positions within your practice. You probably have one or two providers, a practice manager, nurses, billing staff, and maybe a receptionist. Once you identify the different jobs in your practice, decide what kind of information they need. The general rule of thumb is that if they do not need to see it, they should not have access to it. Limited data access using role-based access controls will significantly improve your security.

The next requirement of this section calls for authorization and supervision procedures. Authorization can be handled through passwords, windows file permissions, or controls built-into your EMR software. Supervision can be a burden though, if you have a large office. Consider installing remote administration software on your computers such as pcAnywhere or Log Me In. There are even remote administration packages that will run from smart phones and PDAs. If you use a third-party IT service provider, they may already have remote access software installed on your system. You can use remote administration software to connect to their computers to give them assistance, or just pop in and see how they are doing.

Your practice should also have termination procedures that will go into effect if you must fire, layoff, or otherwise dismiss an employee, contractor, or anyone with access to your data. Generally speaking, you should revoke all their access before you terminate them. This way it will not be possible for them to cause any damage should they be upset and wish to get revenge or take out their anger on your computer systems. Be sure to change or disable their user accounts in Windows, and your EMR software, if applicable. You will also want to disable or remove any email or instant messaging accounts they have.

While it may seem paranoid and callous to lock your system down against your own employees, workforce security requirements are included in the HIPAA security rule for a good reason. Studies show that you are much more likely to suffer harm from an employee than from a hacker over the internet. Employees can steal or destroy your data, either maliciously or by accident. The best way to protect yourself is to make sure your employees only have access to the information they need to perform their job.

For some brief statistics about the insider threat, click here.

Ryan Ricks
Security Officer