Many providers view the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as an irritant they wish would disappear.
Given the sheer volume of requirements placed on doctors, this sentiment is hard to deny. However, the HIPAA rules won’t vanish, so you may as well elevate your understanding of these standards. In the process you may discover that the rules for the workforce security standard (found at §164.308(a)(3)) are sensible and easy to implement.
Policies and procedures
From a HIPAA perspective, compliance starts with a policies and procedures document, which is typically a manual that you create for your practice. The manual should detail each workforce member’s responsibilities as well as the responsibilities and prohibitions for your practice regarding workforce security measures. Be certain to review your policies and procedures and document your conduct of these reviews annually (at a minimum).
A well-known HIPAA safeguard requires you to maintain a list of workforce members. Because small health care practices have relatively few employees, they often overlook this requirement, believing that it’s unnecessary because everyone is personally known. Documentation is always required and critical if your compliance is ever questioned. While your list should name individual employees, contractors, and volunteers, it must also contain the following attributes:
Job role and level of access
In a HIPAA context, a role has less to do with job duties and more to do with the level of information access required to complete the job. Examples of roles include provider, clinical assistant, receptionist, biller and oﬃce manager. Before you can assign a role to a workforce member, you must first determine what roles exist in your oﬃce and define which information systems (e.g., clinical, billing, scheduling) each role is authorized to access. Make certain to limit access to the minimum necessary for a person to perform his or her job. This process is often referred to as granting access on a “need-to-know” basis.
In small oﬃces, there is the possibility that workforce members must perform multiple functions and share a need to access all electronic protected health information (ePHI) systems to fulfill their job responsibilities. If this is the situation in your practice, be sure to document the reasons for allowing this global access.
Mobile devices can be easily lost or stolen. Knowing who is authorized to use a mobile device in your practice helps you provide specialized training and keep track of the devices. Additionally, indicating which employees are authorized to access practice resources from outside your facility helps you manage training.
Sanction policy and training
At a minimum, all workforce members must sign your practice’s sanction policy. HIPAA law is clear about this requirement. Simply document that the agreement was signed and keep the original in a file. Additionally, each employee should have a record of regularly completed HIPAA training. Make sure to keep track of these training records.
Knowing who has oﬃce keys, access cards, and lock combinations is critical to HIPAA compliance and is a precursor to the next requirement. Your practice should have formal procedures when a workforce member’s employment is terminated. For example, there needs to be a repeatable process for collecting keys, mobile devices, and disabling user accounts within information systems. Additionally, there is a little-known requirement to record whether employee termination was amicable or hostile, as this applies to your risk analysis.
Clearly written job descriptions that set forth the qualifications for various job positions make sense to have but are not required. Likewise, screening prospective employees via a background check prior to enabling access to your patient information is a great idea, but only a recommendation.
The HIPAA requirements pertaining to workforce security are straightforward and completely reasonable. Believe it or not, all HIPAA standards are as well, once you get to know them.
Jeff Brown, DC, is obsessed with creating aﬀordable, easy-to-use software to end the frustration of HIPAA compliance. Brown’s career spans private chiropractic practice, meaningful use and compliance consulting, and software product management for three health care technology companies. He is a co-founder of HIPAAmate, software designed and priced for small practices. He can be contacted at 614-706-2066, firstname.lastname@example.org, or through hipaamate.com.