• Human resource security
  • Metadata
  • Screen employees prior to hiring
  • Workforce contracts
  • Authorize minimum necessary access to PHI
  • Terminate employee authorization
  • Upon termination, require
  • Enforcement
  • References

Human resource security

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2018-05-15
  • reviewed: 2018-06-20

Screen employees prior to hiring

• Responsible party: Hiring manager
• Clearance
  • Check three professional references
  • Perform a criminal record check
  • Document into a clearance file
• Purpose
  • Ensure that persons with serious criminal records or histories of financial or legal difficulties do not have inappropriate access to PHI.

    Code	Section	Title	Text
    ISO	A.7.1.1	Screening	Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
    HIPAA	164.308(a)(3)(ii)(B)	Workforce clearance procedure	Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
    CHI	SR13	Verifying the identity of users	All organizations connecting to the EHRi or hosting components of the EHRi must verify the identity and address of each permanent or temporary staff member or contractor who will become a registered user of a PoS system connected to the EHRi or who will have access to hosted components of the EHRi.

Workforce contracts

• Include language in workforce contracts regarding
  • responsibilities for information security
  • that they are responsible for following these policies and procedures
  • termination of access and return of assets

    Code	Section	Title	Text
    ISO	A.7.1.2	Terms and conditions of employment	The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.
    CHI	SR11	Addressing user responsiblities in job descriptions	All organizations connecting to the EHRi or hosting components of the EHRi should document in job definitions the security roles and responsibilities of staff who are registered users of healthcare applications accessible via the EHRi, as laid down in the organization’s information security policy. These roles must be defined in a standardized or harmonized manner so as to ensure future interoperability of authentication services between PoS systems and the EHRi.
    CHI	SR12	Addressing user responsibillities in Terms of Employment	All organizations connecting to the EHRi or hosting components of the EHRi must include in the terms and conditions of employment of employees (permanent, part-time or contracted) who are, or will be, users of PoS systems connected to the EHRi, a statement about the employee’s responsibility for information security and privacy.

Authorize minimum necessary access to PHI

• Authorize the appropriate level of access to PHI to all members of the workforce.
• Base authorization on the nature and duties of the employee’s job.
• Immediately modify authorization when the nature of their job changes and requires a different level of access, whether greater or lesser.

  Code	Section	Title	Text
  HIPAA	164.308(a)(3)(ii)(A)	Workforce security	(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. (ii) Implementation specifications: (A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

Terminate employee authorization

• when their employment relationship with our organization ends
• when the employee has been sanctioned, as appropriate
• immediately (with no more than one hour delay) upon the occurrence of a triggering event

  Code	Section	Title	Text
  ISO	A.7.3.1	Termination or change of employment responsibilities	Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.
  HIPAA	164.308(a)(3)(ii)©	Termination procedures	Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.

Upon termination, require

• Return of all physical assets

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	A.7	Human resource security
ISO	A.7.1	Prior to employment	To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
ISO	A.7.3	Termination and change of employment	To protect the organization’s interests as part of the process of changing or terminating employment.
ISO	A.13.2.4	Confidentiality or non-disclosure agreements	Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.
HIPAA	164.308(a)(3)	Workforce security	(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. (ii) Implementation specifications: (A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. (B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. (C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.

November 13, 2019

Powered by