By Iseman Cunningham Riester & Hyde LLP
Covered Entities must implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. The purpose of this requirement is to ensure that all members of the workforce have appropriate access to electronic protected health information and to prevent those who do not from obtaining it. Workforce authorization is an addressable requirement and, therefore, must be implemented unless it is inappropriate or unreasonable and cannot be met through an alternative measure.
Tip #20 addressed how covered entities should assess the level of access to be provided to different members of the workforce. Once levels of access are determined, covered entities must establish written procedures for granting and revoking access, changing access when the status of an employee changes, and verifying that a particular user is authorized for a particular access level. The size of the organization will determine the scope and formality of access authorization procedures.
Covered Entities also must determine whether they need to supervise access to electronic protected health information in order to prevent the misuse of such information. In determining what type of supervision may be necessary, covered entities should identify routine and non-routine handlers of electronic protected health information. Supervision may not be necessary where system access is well-controlled. For example, if specific security parameters or physical barriers control access, a covered entity may not need to be concerned about access by non-routine handlers, such as maintenance personnel. In other situations, the need for physical supervision may be eliminated if the covered entity enters into a business associate agreement with a non-routine handler, such as an outside software vendor.
Physical supervision of access in non-routine circumstances can be prohibitively expensive. Electronic supervision, such as by use of logging functionalities and active monitoring, offer the potential for long-term cost savings despite the initial costs associated with setting up the electronic system.
HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.
(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.