The HIPAA Workforce Requirement
by Dr. Jeff Brown
Many providers view the HIPAA as a irritant they wish would disappear. Given the sheer volume of requirements placed on doctors, the sentiment is hard to deny. However, the Rule won’t vanish, of course, so you may as well elevate your understanding. In the process you may discover the rules are quite sensible and easy to implement.
To illustrate one area of sensibility, let’s dig into the workforce security standard (found at §164.308(a)(3)) and its requirements.
Policies and procedures
From a HIPAA perspective, compliance always starts with policies and procedures documents (a.k.a. your "HIPAA manual"). This manual should detail each workforce member’s and your practice’s responsibilities and prohibitions with regard to workforce security measures. Be certain to review your policies and procedures, and document such reviews, annually at a minimum.
List of workforce
A fairly well-known HIPAA safeguard requires you to maintain a list of workforce members. Because small healthcare practices have relatively few employees, they often overlook this safeguard believing it’s unnecessary since everyone is personally known. Documentation, however, is always required and of critical importance should your compliance ever be questioned.
While your list should name individual employees, contractors, and volunteers, it must also contain the attributes discussed below.
Job roles and level of access
In a HIPAA context, a role has less to do with job duties and more to do with the level of information access the role requires to complete assigned job activities. Examples of roles include: provider, clinical assistant, receptionist, biller, and office manager. Before you can assign a role to a workforce member you must first determine what roles exist within your office and define which information systems (e.g. clinical, billing, scheduling) each role is authorized to access; making certain to limit access to the minimum necessary for a person to perform their job. This is often referred to as granting access on a "need to know" basis.
Note: In small offices, there exists the possibility workforce members perform multiple functions and share a need to access all ePHI systems to fulfill their job responsibilities. If this is the situation in your practice, be sure to document the reasons for allowing this kind of global access.
Who has mobile access
Mobile devices are designed to be mobile, which also means they can be easily lost or stolen. Knowing who in your practice is authorized to use a mobile device helps you provide specialized training and keep track of the devices themselves.
Who has remote access
Similar to mobile device access, indicating which employees are authorized to access practice resources from outside your facility helps you manage training related to the added risks associated with working outside the office.
At a minimum all workforce members must sign your practice’s sanction policy. The HIPAA is very clear about this requirement. Simply document the agreement was singed and keep the original in a file.
Document staff training
Each employee should have a record of regularly completed HIPAA training. Alternatively, you can store training records elsewhere (not part of employee list) as long as you have them somewhere.
Your practice should have formal procedures when a workforce member’s employment is terminated. For example, a repeatable process for collecting keys, office equipment, and disabling user accounts within information systems. Additionally, there is a little known requirement to record whether employee termination was amicable or hostile—applies to your HIPAA Risk Analysis.
Nice to have, but not required
Written job descriptions that clearly set forth the qualifications for various job positions makes sense to have, but is not required. Likewise, screening prospective employees, via a background check, prior to enabling access to your patient information is a great idea, but only a recommendation.
The HIPAA requirements pertaining to workforce security are straightforward and completely reasonable. Believe it or not, all HIPAA standards are as well, once you get to know them.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.