Policy 2 Workforce Security Policy and Procedure

Similar documents
ClickStaff Orientation Training. Presented to: Contingent Workers Presented by: <Supplier ABC> Version Effective Date: June 20, 2012 Version: 8FINAL

HIPAA Compliance and Mistakes:

MODA HEALTH CODE OF CONDUCT

SELECT EMPLOYMENT POLICIES

Triple C Housing, Inc. Compliance Plan

Compliance with Laws, Rules and Regulations

Terms of Engagement SW London Collaborative Staff Bank

Corporate Code of Business Conduct and Ethics

) ) ) ) ) ) ) ) ) ) II.

ICHWC Code of Ethics (Updated February 1, 2017)

Conflict of Interest Disclosure Form

CIRCLE TYPE OF EMPLOYMENT DESIRED: Full Time Part Time Full or Part Time Substitute. FULL NAME: Last First Middle

Social Networking. Management Guide. Compliance and Legal Services

) ) ) ) ) ) ) ) ) ) II.

DRIVER ADDENDUM TO SERVICES AGREEMENT. Last update: October 20, 2015

THE NEW AND REVISED INTERPRETATIONS CONTAINED IN THIS DOCUMENT ARE EFFECTIVE ON AUGUST 31, 2017 UNLESS OTHERWISE NOTED.

HIPAA and Electronic Information

Depending on the circumstances, we may collect, store, and use the following categories of personal information about you:

DISCIPLINE, SUSPENSION, AND DISCHARGE

Modus Law, Ltd. Ethics and Values Agreement

APPLICATION FOR EMPLOYMENT

CODE OF ETHICS FOR CHIEF EXECUTIVE OFFICER AND SENIOR FINANCIAL OFFICERS UGI CORPORATION

Kumon Employee Manual

UPMC POLICY AND PROCEDURE MANUAL

Employee Clearance Procedure

Case Report from Audit Firm Inspection Results

SAMPLE COMPLIANCE PLAN. Last revised. Sample only for educational purposes/does not constitute legal advice

CANADIAN CORPORATE BUSINESS POLICY

SUBSTANCE ABUSE POLICY

Progressive Discipline Policy

Code of Conduct. (Effective as of March 1, 2012)

Canadian Ski Instructors Alliance Conflict of Interest Policy TABLE OF CONTENTS

Canadian Society of Hospital Pharmacists Conflict of Interest Policy (Approved by CSHP Board, March 7, 2004) (Revised October 2014)

GEORGIA DEPARTMENT OF JUVENILE JUSTICE Applicability: {x} All DJJ Staff { } Administration { } Community Services { } Secure Facilities I.

2. Policy. Employee management and disciplinary action practices at the University are subject to the following policies:

Carolina Hearts Medical Equipment, LLC

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data

EQUAL OPPORTUNITIES AND DIVERSITY POLICY

Mentor and Me Program

12 STEPS TO PREPARE FOR THE GDPR

GUIDELINES. Corporate Compliance. Kenneth D. Gibbs President & Chief Executive. Martin A. Cammer Senior Vice President & Corporate Compliance Officer

Audit Transparency Report 2014

Instructions for completing the Employment Application

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

Honorary Contracts Procedure

APPLICATION FOR EMPLOYMENT. Position Applying For: Date: Personal Information. Name Last First Middle Mailing Address Street

Policy Management Area: Human Resources and Equal Opportunity

Data Privacy Policy for Employees and Employee Candidates in the European Union

Audit Transparency Report 2016

MARICOPA INTEGRATED HEALTH SYSTEM Code of Conduct and Ethics

CITY OF CHICAGO VIOLENCE IN THE WORKPLACE POLICY

CANDIDATE DATA PROTECTION STANDARDS

DRUG AND ALCOHOL-FREE WORKPLACE POLICY

Hershey Entertainment & Resorts Company Proudly Committed to our Legacy of Excellence. Code of Conduct & Ethics

The Bank of Elk River: Digital Wallet Terms and Conditions

SFCC EMPLOYEE CORRECTIVE ACTION AND DISCIPLINARY ACTION POLICY 4-2

CORE VALUES AND CODE OF CONDUCT

Data Protection Policy & Procedures

APPLICATION FOR EMPLOYMENT TEACHER

APB ETHICAL STANDARD 3 (REVISED) LONG ASSOCIATION WITH THE AUDIT ENGAGEMENT

THE UNIVERSITY OF TEXAS SYSTEM POLICE

WHAT TO DO DURING AN IMMIGRATION AND CUSTOMS ENFORCEMENT (ICE) VISIT

GENERAL ORDER NO 23 MANAGEMENT OF PERSONNEL RECORDS

Supervisory File Guidelines For Clergy, Candidates, And Diaconal Ministers In The United Methodist Church Effective Date: January 1, 2001

Quick guide to the employment practices code

Corporate Compliance Program

DATA PROTECTION POLICY

This document provides a structured approach to developing an offboarding policy and includes procedures for the following:

PERSONAL DATA PROTECTION POLICY

An Employer s Guide to Conducting Harassment Investigations

Application for Employment

Equality and Diversity Policy

NORTH WASCO COUNTY SCHOOL DISTRICT 21

CODE OF CONDUCT A MESSAGE FROM OUR CEO. Dear Colleagues:

Living Our Purpose and Core Values CODE. Code of Business Ethics and Conduct for Vendors

TEMPLATE FOR WORKPLACE VIOLENCE PREVENTION POLICY A. POLICY STATEMENT

MiMedx Group, Inc. Code of Business Conduct and Ethics

Rogue Community College and Oregon School Employee Association Chapter 152. Classified Employee Discipline Manual

CORPORATE POLICY SUBSTANCE ABUSE POLICY SCOPE

November 20, To: All Applicants for the Naismith Hall Resident Advisor Positions. Re: Application/Selection Process Information

Foundation Contingent Workforce Screening Policy

RISK CONTROL SOLUTIONS

Data Protection Policy

ENVIRONMENT, HEALTH & SAFETY POLICY Up date

Southwest Airlines Co. Code of Ethics

REDI MART TOBACCO Drug-Free Workplace Policy

Application for Employment

DISCLOSURE OF OUTSIDE ACTIVITIES AND FINANCIAL INTERESTS FORM

Syntel Human Resources Privacy Statement

Delta Dental of Michigan, Ohio, and Indiana. Compliance Plan

Social Media Guidelines

SOURCE SELECTION PLAN. {Insert if Phase I or Phase II} {Insert Project Name} {Insert Project Acronym} SOLICITATION XXXXXX-xx-R-xxxx

EMPLOYMENT APPLICATION

Sogefi Group Code of Ethics

RANDALL COUNTY SHERIFF S OFFICE

CORPORATE POLICIES AND PROCEDURES. GIFTS NO.: (Formerly ADM X 260)

Test Security and Administration Errors Self Assessment and Checklist

GENERAL TERMS AND CONDITIONS FOR USING THE JUVENTUS eprocurement PORTAL

Guidelines and supervision on the use of IT tools of the University College

Transcription:

Policy 2 Workforce Security Policy and Procedure Policy: 1. Authorization and/or Supervision The practice s Security Officer will determine which individuals are authorized to access electronic protected health information ( ephi ), taking into account each individual s role and responsibilities. Individuals who are not authorized to access ephi, but have an occasional need to access ephi will be supervised by other workforce members. The following members of the workforce will be permitted to supervise unauthorized workforce who have a temporary need for access: (List to be completed by the Security Officer) 2. Workforce Clearance Procedures Prior to authorizing access to electronic protected health information to any member of the workforce, the organization may complete the following steps: Ask the employee if they have ever been disciplined for breaching security at a previous job (or include this on the job application) Conduct criminal background check if Security Officer determines it is necessary Obtain written assurances from employee that he or she agrees to abide by HIPAA Security Policies by asking employee to sign Form 2.1 3. Termination Procedures When an employee ceases employment at the organization (through termination, resignation, retirement or any other means) the following steps should be taken: The employee s password to all computer systems will be disabled or deleted The employee will be asked to return all keys, keycards, or other means of gaining access to the building, the office suite, and or particular rooms within the practice. The employee will be asked to return his or her name badge or other means of identification as an employee. Page 1 of 5

All supervisory employees are responsible for alerting the security officer of situations that might raise concern regarding a threat to security (for example, the employee makes threats, has a history of sabotage, or leaves under hostile circumstances). The security officer, with input from the employee s supervisors will make a determination as to any special security measures that should be taken, such as: Changing locks on doors Changing key code access or passwords to gain entrance to the facility if such passwords are known to all employees Procedure: 1. The security officer will determine who is authorized to have access to ephi. 2. Those individuals who are not authorized to access ephi will be supervised if they need to obtain temporary access (supervision will be provided by an employee deemed to be appropriate by the Security Officer as set forth above). 3. Before employees are given access to electronic protected health information, the clearance procedures set forth in Paragraph 2 above should be followed. 4. Termination procedures in Paragraph 3 will be followed for all employees. Page 2 of 5

Explanation of the Workforce Security Standard and Instructions for Utilizing the Workforce Security Policy The Workforce Security Standard requires covered entities to implement policies and procedures (1) to determine who needs access to electronic protected health information; (2) to ensure that the workers who need access can get access and (3) to ensure that individuals who do not need access cannot get access. The Workforce Security Standard has three implementation specifications: (1) authorization and/or supervision; (2) workforce clearance procedures; and (3) termination procedures. Policy 2 is a sample policy that could be used to address this standard and its implementation specifications. 1. Authorization and/or supervision This implementation specification requires all individuals who do not have authorization to be supervised when working with or around electronic protected health information. Individuals who do not need access to protected health information to perform their job should not be given such access. Some members of the workforce need access only to perform maintenance and/or operations functions. For example, if the practice has IT personnel who act as troubleshooters, those individuals may need to see electronic protected health information in order to help end users with their problems. An example would be a situation where a nurse is trying to access a patient record but the screen is not displaying appropriately. She may call someone else from the organization, who would not otherwise need access to electronic protected health information in order to troubleshoot the problem. To address this type of situation, the covered entity essentially needs to make two choices with respect to individuals who need access solely for the purpose of supporting or troubleshooting information systems: (1) Authorize the individual to have access, subject to all of the organization s authorization criteria (e.g., subject to clearance procedures, setting forth the scope of access, requiring a signed confidentiality agreement, etc.) OR (2) Put policies in place so that this individual will always be supervised when accessing electronic protected health information (details of supervision (e.g., who will supervise level of security)). 2. Workforce clearance procedures The second implementation specification under the Workforce Security Standard is workforce clearance procedures. Page 3 of 5

This specification involves making a determination as to whether individuals can be trusted with access to protected health information. The steps that you take to investigate and grant clearance to the members of your workforce are left to your discretion. For example, the government, in the final Security Rule, specifically stated that criminal background checks are not required by the rule. However, you might decide that this is an appropriate safeguard based upon your environment. In the sample policy, we have suggested that you have employees sign an agreement that they will comply with all HIPAA policies and procedures as well as certify that they have never been accused of breaching privacy. 3. Termination procedures This specification addresses the implementation of procedures for terminating access to electronic protected health information with respect to a workforce member who is terminated or whose authorization to access electronic protected health information is terminated. In order to address this specification, you should review your current termination policy or checklist and make sure that actions are taken to prevent unauthorized access to your facility or computer systems after that individual leaves your employ. Examples of precautions that might be taken include revoking passwords, taking back keys and keycards, etc. Policies should also address changes in access. For example, an individual might be assigned to a different position within your practice and might have different levels of access, or might no longer need access to certain computer systems. Policies should be implemented to require all job changes to be analyzed from this perspective and appropriate steps taken to limit or remove access accordingly. Page 4 of 5

Form 2.1 Employee Agreement I (name of employee) hereby certify that I have never been disciplined by or terminated from a previous employer for breaching HIPAA Privacy. Further, I acknowledge that I have received and reviewed the HIPAA Security policies and procedures of the organization. I understand that I am responsible for complying with all current and future HIPAA Security and Privacy policies and procedures that are implemented and that I am required to seek guidance from the Security Officer if I have any questions or concerns regarding the security of electronic protected health information. I understand that I may be subject to disciplinary action for noncompliance with the security policies and procedures. I understand that signing this agreement does not create contractual obligations on the part of the practice and does not change my status as an at-will employee, if applicable. Signature of Employee Date: Witness: Page 5 of 5

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback