Assigned Security Responsibility 45 CFR § 164.308(a)(2) Each organization is required to appoint a person that will be responsible to create, maintain, and enforce the policies and procedures needed to protect patient data. You already have a HIPAA Privacy Officer, now you will need a HIPAA Security Officer. Smaller organizations may combine these titles to one individual known as the Compliance Officer. Everyone must know this person(s) by these titles. Typically, auditors will not ask for them by their name, only by titles.
Workforce Security 45 CFR § 164.308(a)(3)(i) Within your organization’s environment employees are required to access ePHI to carry out their duties. These workforce members must be identified and only have access to the level needed to perform their job functions, known as minimum necessary access.
Authorization and/or Supervision 45 CFR § 164.308(a)(3)(ii)(A) Authorization is defined as the process of determining whether a user has the right to access ePHI or carry out a particular duty. Supervisors are required to oversee the work force to ensure everyone, including themselves only access ePHI within their scope of work. This includes detailed job descriptions outlining the level of access to PHI and/or ePHI.
Workforce Clearance Procedure 45 CFR § 164.308(a)(3)(ii)(B) This is the screening process of potential employees. If an employee will have access to ePHI, a thorough screening process should include a criminal background check for all surnames. It is also required to check the OIG exclusions list.
Termination Procedures 45 CFR § 164.308(a)(3)(ii)(C) When an employee or a business associate is no longer needed, procedures need to be in place to ensure all access to ePHI is terminated immediately. A checklist is most helpful.
Let Aris work with you for an easy online path to HIPAA compliance