HIPAA Understood: Workforce Clearance Procedure

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.

---

This week’s rule is tied directly to the previous two rules, 164.308(a)(3)(i) and 164.308(a)(3)(ii)(A), and as such much of the following may sound familiar. 

“164.308(a)(3)(ii)(B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.”

The above rule specifies that you need to document a process which can be used to determine if access is appropriate. So how do you do this? Well, the previous rules will set the ground work here. In 164.308(a)(3)(i) you documented which roles are permitted to have access to PHI/ePHI within your organization and in 164.308(a)(3)(ii)(A) you established a process for which to approve employees within your organization to have access. So, to determine whether access is appropriate you will determine if the employees granted access have been approved according to your processes and whether they are in a role which has been determined to warrant access.  Additionally, you should determine if the employee has a need for the information. Let me explain: just because a member of your organization is in an approved role and has gone through the approval process doesn’t mean they should have access to all PHI/ePHI. The more secure method for providing access to approved and authorized personnel is to only allow them to have access to information they will need to perform their duties.