Information Access Management III

The last task under Information Access Management is to implement policies and procedures that, based on access authorization policies, establish, document, review, and modify a users right of access to a workstation, transaction, program or process. This task is addressable.

This is kind of an overview of the Information Access management requirement. Basically you have to have a method of determining who has rights, how to assign the rights, review and modify rights as needed, and document these policies and procedures. Note that granting access to a workstation may or may not be sufficient. A person may have access to a workstation but may not have access to certain applications that contain EPHI. Also a person may have access to an EPHI application but may not have access to certain EPHI components within the application.

Information Access Management II

The next Information Access Managment task is to implement policies and procedures for granting access to EPHI. This is an addressable task. Your job descriptions should include the need for access to EPHI where applicable. Procedures need to be in place to insure that access to EPHI is given where appropriate and withheld where necessary. This should include the limitations on access. For instance access may be granted for only a limited set of patients, etc.

Information Access Management I

The next section under the Administrative Rules is Information Access Management. Generally agencies must implement policies and procedures for authorizing access to EPHI. There are 3 tasks in this section. The first is a required task and the 2nd and 3rd are addressable.

The first task is to implement procedures to isolate and protect EPHI from a parent organization. Basically, you must keep all EPHI protected even from parent or other affliated organizations unless there is a valid reason for the data to be made available to them. Your patient is not their patient. If access is to be granted, you must insure all other security rules are considered when you grant the access. This is a required task.

Workforce Security III

The next Workforce Security task is to implement procedures for terminating access to EPHI when the employment of a workforce member changes or ends. Basically, you must have a method to change or remove access to EPHI if an employee leaves employment or changes positions within your organization.

This should include deactivating network access or changing access rights as necessary. Remember that VPN or dialup access must be addressed as well.

Workforce Security II

The second Workforce Security task is to implement procedures to determine that the access to a workforce member to EPHI is appropriate. This task is addressable. In the previous task you had to create a procedure to authorize and/or supervise workforce members that work with EPHI. This task requires that you create a procedure that determines whether access to EPHI is appropriate for specific workforce members. For instance, an office administration type of employee may have no need to have access to EPHI while a nursing supervisor may need a broad range of access to EPHI while a specific nurse may only be authorized to access EPHI of only their patients. A list of employment positions and their need for access to EPHI would generally satisfy this task.

Remember that you must regularly review your policies and procedures to insure they continue to comply with the rule. As you add/change/remove positions they should be reviewed. Also, as employees change positions a process should be in place where by their access to EPHI is reviewed and adjusted accordingly.

Workforce Security I

Workforce Security is the next subsection under the Administrative Section. It consists of 3 tasks all of which are addressable. An addressable task means that your agency must evaluate the requirement being defined and then decide what is the best solution for the requirement for your agency. There is not a predefined solution to the requirement in question. Addressable tasks are meant to allow for flexibility in your solution. For instance, a large hospital may have a larger need or more funds to address a particular requirement than a small agency or doctors office.

The Workforce Security section requires that your agency implements policies and procedures to ensure workforce members have appropriate access to EPHI and to prevent access to those that do not. Remember that the administrative Section has to do with creating, documenting, implementing and monitoring policies and procedures and not the actual technical part of the process. That will come later.

The first task in the Workforce Security section is to implement procedures for the authorization and/or supervision of workforce members who work with EPHI. What workforce members need access to EPHI? To what type of EPHI do they need access? What is the process for granting and removing access? If you have more than one location, do workforce members from one location have rights to EPHI at the other locations? Who is in charge of granting and denying access? These types of questions must be addressed in the policies and procedures you create for this task. Remember that this task is addressable and therefore can be tailored to meet your specific needs.

Assign Security Responsibility

The next item under the Administrative Section is to name a person that will be responsible for the development and implementation of the security policies and procedures. This is a required task.

When picking this person it is crucial that the person have a clear understanding of the issues regarding the security of your IT system and EPHI. I would also suggest that you have this person put together a small team to enable them to complete these security tasks before April 2005. In reality selecting a Security Officer should be the first thing to be done in this process. The Security Officer should be involved in all aspects of the implementation from the analysis stage all the way through implementation and monitoring.