Workforce Security Policies, v1.0

Specifies that a health care related organization must have policies to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent access to those not authorized.

Assessment Step

1
Appropriate Access (AppropriateAccess)
Does the covered entity or business associate implement procedures for the authorization of workforce members who work with electronic protected health information or in locations where it might be accessed?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
A covered entity or business associate must perform these requirements in accordance with Section 164.306 (Security standards: General rules).

Conformance Criteria (1)

Authorization Procedures
The covered entity or business associate must have policies to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph Section 164.308(a)(4) (HIPAA Administrative Safeguards), and to prevent those workforce members who do not have access under paragraph Section 164.308(a)(4) from obtaining access to electronic protected health information. Paragraph Section 164.308(a)(4) refers to Information Access Management policies and procedures.
Citations
HIPAA-Security-Rule
45 CFR Section 164.308(a)(3)(i)
HIPAA-Security-Rule
45 CFR Section 164.306