entities must implement a workforce security regime as
a part of their administrative
safeguards. The Security
Rule defines that as the "implement[ation] of policies
and procedures to ensure that all members of its workforce
have appropriate access to electronic
protected health information
is obviously to be understood in both the positive and negative
sense -- it is a matter of preventing access by persons who
are not entitled to it (confidentiality), and of securing
it for those who are (availability).
has three implementation
specifications, all of them addressable:
- a workforce
clearance procedure, and
The first includes
implementation of "procedures for the authorization and/or
supervision of workforce members who work with electronic
[PHI] or in locations where it might be accessed." For
example, operations and maintenance workers, who must work
in areas where PHI resides, would either be authorized for
such "exposure" or supervised by someone who is.
The second embraces
implemented "procedures to determine that the access
of a workforce member to electronic [PHI] is appropriate."
"Clearance" does not mean that there is a blanket
requirement for background checks or other formal security
vetting before access to PHI is granted. "The need for
and extent of a screening process is normally based on an
assessment of risk, cost, benefit, and feasibility as well
as other protective measures in place." (Final Rule,
mean that access to PHI will be conditioned on assessments
of job responsibilities, the amount and type of supervision,
and so on. In this regard, the minimum
necessary standard of the Privacy
Rule is the lodestar.
As its name would
imply, the last of the three covers "procedures for terminating
access to electronic [PHI] when the employment of a workforce
member ends" or when the clearance procedures determine
that a change in a worker's access privileges is appropriate.
It includes such steps as changing combinations or turning
in keys, tokens or cards; deactivation of userids and passwords,
and/or removal from access lists; and any other appropriate
steps to terminate or alter a user's access to PHI.
DHHS has noted
that the size and type of an organization will strongly condition
the appropriateness of each of these. (For example, a small
provider might have much more informal mechanisms.) For that
reason, all three implementations specifications here are
addressable, not required.