Blog Home Page Next article:

HIPAA Understood: Workforce Security

This series is intended to help those required to be in compliance with HIPAA understand what is required of them. Regulatory standards are often times difficult to understand as they are worded vaguely. By the end of this series, you will have a better understanding of what is required of you by HIPAA. In addition, I will provide suggestions on how to achieve compliance based on what I have seen work most effectively.


It is very important to set boundaries for your workers and enforce those boundaries. These boundaries can be as simple as setting specific office spaces as off limits or limiting the access specific roles within your organization have on your network. HIPAA is no different and requires that you set up clearly defined boundaries as stated in the following rule:

“164.308(a)(3)(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information”

As stated in the above rule, organizations must ensure that all its employees have the appropriate level of access where PHI/ePHI is concerned. This is simpler from an administrative standpoint than from a technical standpoint (we will discuss the technical aspects in a later rule). Basically, this rule wants you to define which roles within your organization are authorized to access PHI/ePHI and when/how those roles are allowed such access.  The access determined for each role should be limited to the minimum amount required for that role to perform their duties. This must be documented to comply with HIPAA, so you can add this to an existing policy/procedure or create a new set, whichever is easiest and makes the most sense for your organization. Within the documentation make sure you specify the controls that will be used to permit/deny access such as approval processes or any technical controls that will be used. These documents should be included in the same maintenance processes as all other policies if new ones are created.