HIPAA policies and procedures ensure all employees have appropriate ePHI access
Security Rule Language: Implement policies and procedures to ensure all members of its workforce have appropriate access to electronic protected health information (ePHI), as provided under paragraph (a) (4) of this section, and to prevent those workforce members who do not have access under paragraph (a) (4) of this section from obtaining access to electronic protected health information.”
45 CFR 164.308 (a)(3)(i)
The Workforce Security standard requires that you implement policies and procedures to ensure that all members of your workforce have appropriate access to ePHI and to prevent those workforce members who do not have access from obtaining access to ePHI. The type and extent of access to your information systems containing ePHI must be based on your Risk Analysis. Your Risk Analysis must consider the following factors:
• The importance of the applications running on the information system
• The value or sensitivity of the ePHI on the information system
• The extent to which the information system is connected to other information systems
Access to your information systems containing ePHI must be authorized only for your properly trained workforce members having a legitimate need for specific information in order to accomplish job responsibilities. All such access must be defined and documented. Such access must be regularly reviewed and revised as necessary.
Access to your information systems containing ePHI must be established through a formal, documented process. This process must include:
• Identification and definition of permitted access methods
• Identification and definition of how long access will be granted to user
• Procedure for granting a workforce member an access method (e.g. password or token) or changing an existing access method
• Procedure for managing access rights in networked environment
• Appropriate tracking and logging of actions of authorized workforce members on our information systems containing ePHI.
Your workforce members must not attempt to gain access to your information systems containing ePHI for which they have not been given proper authorization.
Following these policies and procedures will help prevent unauthorized access to ePHI while giving appropriate access to designated employees so that they can do their job.