Workforce Clearance Procedure by DIxXp3

VIEWS: 5 PAGES: 4

									                                            University of Colorado Denver
                                  Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                         Policy #: AS-22.1
Title: Workforce Clearance Procedure                                                           Page 1 of 4

Effective Date of This Revision:              September 12, 2012

                HIPAA Security Officer                        Responsible Department:
                Sue Hawkins                                   Facility for Advanced Spatial Technology
Contact:
                1200 Larimer Street NC 5032
                303-556-4172

HIPAA REGULATORY INFORMATION: Workforce Security Standard

                      Administrative Safeguard                Type:        Standard
Category:             Physical Safeguard                                   Implementation Specification
                      Technical Safeguard                                      Required      Addressable

                      Officers               Staff/ Faculty      Student clinicians      Volunteers
Applies to:
                      Other agents           Visitors            Contractors




BACKGROUND:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that access to
Protected Health Information (PHI) will be managed to guard the integrity, confidentiality, and availability
of electronic PHI (ePHI) data. According to the law, all "Covered Entity's Name" officers, employees and
agents of units within a "Covered / Hybrid" Entity must preserve the integrity and the confidentiality of
individually identifiable health information (IIHI) pertaining to each patient or client.


        SECURITY REGULATION IMPLEMENTATION SPECIFICATION LANGUAGE:
        “Implement procedures to determine that the access of a workforce member to electronic protected health
        information is appropriate.”


PURPOSE:
Each Unit of "Covered Entity's Name" ‘s health care component (HCC), which handles ePHI, will have a
documented process for investigating personal who require access to ePHI when the employment of
workforce members starts or access is newly required as set forth in "Covered Entity's Name" ’s Access
Authorization implemented specification ("Policy Number" ), Information Access Management standard
("Policy Number" ) and Access Establishment and Modification implementation specification
("Policy Number" ), for example due to a change in position such that the workforce member requires
access to ePHI.




 HIPAA Requirement     Workforce Security Standard
 HIPAA Reference:      45 CFR 164.308(a)(3)(i)
 Reviewed by:          Sue Hawkins
 Approved by:          Sue Hawkins
 Effective Date        9/12/2012
 Supersedes Policy:    N/A
                                           University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                      Policy #: AS-22.1
Title: Workforce Clearance Procedure                                                        Page 2 of 4



This policy provides guidance for the FAST‘s Security Office in adopting the addressable Workforce
Clearance Procedure Implementation Specification under the Workforce Security Standard.


POLICY:

FAST is committed to take reasonable and appropriate steps to ensure that workforce members have the
appropriate authorization to access ePHI as defined in Access Authorization policy (AS-1.1) and Access
Establishment and Modification policy (AS-2.1).

The appropriate Human Resources and hiring personnel of each unit of FAST‘s health care components
(HCC)will identify and define the security responsibilities of and supervision required for the defined
organizational position. Security responsibilities include responsibilities for implementing or maintaining
security and the protection of the confidentiality, integrity, and availability of each unit of FAST‘s HCC
information systems or processes.

Each Unit of FAST‘s HCC will review prospective workforce members’ backgrounds during the hiring
process and, as appropriate, will perform verification checks on prospective workforce members. Each
covered component will analyze prospective workforce members’ access to and expected abilities to
modify or change ePHI as one of the bases for the type and number of verification checks conducted.
Verification checks may include, but are not limited to:

              Confirmation of claimed academic and professional experience and qualifications

              Professional license validation

              Credit check

              Criminal background check

Each Unit of FAST‘s HCC workforce members who access ePHI will sign confidentiality agreements in
which they agree not to provide ePHI to or to discuss confidential information with unauthorized persons,
in addition to the singing and acknowledging the workstation use policy. The appropriate Human
Resources personnel will develop a system for retaining such signed agreements.




 HIPAA Requirement    Workforce Security Standard
 HIPAA Reference:     45 CFR 164.308(a)(3)(i)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       9/12/2012
 Supersedes Policy:   N/A
                                           University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                                         Policy #: AS-22.1
Title: Workforce Clearance Procedure                                                           Page 3 of 4


DEFINITIONS:
HIPAA: Health Insurance Portability and Accountability Act of 1996
Electronic Protected Health Information (ePHI): Electronic health information or health care payment
information, including demographic information collected from an individual, which identifies the individual
or can be used to identify the individual. ePHI does not include students records held by educational
institutions or employment records held by employers.

Individually Identifiable Health Information (IIHI): Information that is a subset of health information,
including demographic information collected from an individual, and:

     Is created or received by a health care provider, health plan, employer, or health care
      clearinghouse; and
     Relates to the past, present, or future physical or mental health or condition of an individual; the
      provision of health care to an individual; or the past, present, or future payment for the provision
      of health care to an individual; and
     That identifies the individual; or
     With respect to which there is a reasonable basis to believe the information can be used to
      identify the individual.

FAST Health Care Component (HCC): Those units of the FAST that have been designated by the FAST
as part of its health care component under HIPAA.

FAST Security Officer: the individual appointed by FAST to be the HIPAA Security Officer under s.
164.306(2) of the HIPAA Security Rule.
Addressable: When a standard adopted under 45 CFR Part 164.312 includes addressable
implementation specifications, a unit within the FAST HCC must (i) assess whether each implementation
specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference
to the likely contribution to protecting the unit’s electronic ePHI and (ii) as applicable to the unit: (A)
implement the implementation specification if reasonable and appropriate; or (B) if implementing the
implementation specification is not reasonable and appropriate: (1) document why it would not be
reasonable and appropriate to implement the implementation specification; and (2) implement an
equivalent alternative measure if reasonable and appropriate.




 HIPAA Requirement    Workforce Security Standard
 HIPAA Reference:     45 CFR 164.308(a)(3)(i)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       9/12/2012
 Supersedes Policy:   N/A
                                           University of Colorado Denver
                                 Facility for Advanced Spatial Technology




Subject: HIPAA Security Policies & Procedures                               Policy #: AS-22.1
Title: Workforce Clearance Procedure                                               Page 4 of 4

Related Policies:
Access Establishment and Modification (AS-1.1)
FAST Confidentiality Agreement
Information Access Management Standard (AS-2.1)


Reference:
Access to Electronic Health Information Flow Sheet
Access Authorization (AS-1.1)
FAST Confidentiality Agreement
HIPAA Final Security Rule, 45 CFR Parts 160, 162, and 164, Department of Health and Human Services,
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp, February 20, 2003.

CMS, “CMS Information Systems Security Policy, Standards and Guidelines Handbook”, CMS, February
2002.

International Standards Organization (ISO/IEC 17799:2000(E))




 HIPAA Requirement    Workforce Security Standard
 HIPAA Reference:     45 CFR 164.308(a)(3)(i)
 Reviewed by:         Sue Hawkins
 Approved by:         Sue Hawkins
 Effective Date       9/12/2012
 Supersedes Policy:   N/A

								
To top