Skip to Content

HIPAA - Workforce Security 164.308(a)(3)(i)

439  Matthew Burdick September 28, 2022  Administrative Safeguards

Overview:
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.


Action Items:
1) Obtain and review the policies and procedures that ensure all members of its workforce only have access to EPHI that is required for each workforce member to do his or her job. Elements to review may include but are not limited to: That different levels of access to information systems are appropriately approved and communicated; Ensuring that the workforce operates at privilege levels no higher than necessary to accomplish required job duties.
2) Obtain and review documentation demonstrating access granted to workforce members and their job descriptions. Evaluate and determine that access granted to workforce members correlate with their job functions/duties.
3) Obtain and review documentation demonstrating that management reviews workforce members’ access to information systems that contain EPHI to determine if access is appropriate. Evaluate and determine if workforce members' access to information systems that contain EPHI is certified and approved by appropriate management.


Related Documents:
1) Policies and procedures that ensure all members of its workforce only have access to ePHI that is required for each workforce member to do his or her job.
2) Documentation demonstrating access granted to workforce members and their job descriptions.
3) Documentation demonstrating that management reviews workforce members’ access to information systems that contain ePHI to determine if access is appropriate.


Additional Guidance:
Within a covered entity’s environment, workforce members that need access to EPHI to carry out their duties must be identified. For each workforce member, or job function, the covered entity must identify the EPHI that is needed, when it is needed, and make reasonable efforts to control access to the EPHI. This will also include identification of the computer systems and applications that provide access to the EPHI. Covered entities must provide only the minimum necessary access to EPHI that is required for a workforce member to do his or her job.

 
Not Rated
Secure Code