Policies help ensure workforce member security.
According to The Ponemon Institute, 91% of healthcare organizations have had one or more breaches in the last two years. Part of healthcare’s tendency of insecure operations is due to employees. Yes, your workforce is your strongest asset when it comes to patient care, but it’s also your weakest link when it comes to patient data security.
It’s common knowledge in the security industry that humans, not faulty technology, are at the root of most data breaches. People are fallible. They trust too much. They forget. They feel vindictive when fired. They don’t know the latest security
protocols.
You get the picture.
If your people are just human, how are you supposed to protect patient data?
A great starting point is workforce member training, but let’s not get ahead of ourselves. The step before training is having updated workforce member policies. After all, if you don’t have a HIPAA security policy that documents what information employees have access to, how are you supposed to train your employees to protect it?
Get a free HIPAA compliance dashboard demo.
HIPAA regulation §164.308(a)(3) specifically states that healthcare covered entities must “implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information … and prevent those workforce members who do not have access … from obtaining access to electronic protected health information.”
The requirement to have a workforce security policy helps ensure that all members of your workforce have appropriate access to patient health information and can help prevent unauthorized workforce members from gaining access.
To comply with this requirement correctly, you should document which employees have access to patient data, what permissions they have, and what happens if they are terminated or change job roles. Controlling and documenting PHI access will take some work.
In an effort to help you comply with HIPAA regulation, we are offering a free downloadable HIPAA security policy template!
It’s important that workforce members only have the appropriate, limited access to protected health information. This is called role-based PHI access. For example, a doctor should have a higher level of permissions to access patient data than, say, a receptionist.
To be most effective, your workforce security policy should probably include descriptions on what happens to workforce member PHI permissions in instances of:
If you need more than just a Workforce Security Policy, check out the rest of our HIPAA policies designed specifically for small to medium healthcare providers.
Remember, a policy is only as good as its implementation within your organization. It does no good to have a policy that sits on the shelf. Policies and security training go hand in hand. The policies offer the documentation and rules, and the training helps employees remember the information contained in the policies. For best results, I recommend scheduling short regular trainings at least on a monthly basis. You are much better served doing a 15 minute training each month than a 2 hour training once a year.
See also: SecurityMetrics HIPAA Guide
When implementing your policy, documenting employee roles, and preparing your organization for a better workforce security procedures, ask yourself:
Don’t forget to download your free HIPAA security policy template before you leave.
.svg)
