Workforce Security Policy

5. Procedures

1. AUTHORIZATION AND SUPERVISION

1.1 Before a workforce member is granted access to any system containing ePHI, the member's supervisor shall complete an Access Authorization Form specifying: the systems and data the member needs to access, the level of access required (read, write, delete), and the business justification for the access.

1.2 The Security Officer shall review and approve or deny each access request within [NUMBER] business days.

1.3 Access shall be granted using the principle of least privilege — the minimum access necessary for the workforce member to perform their assigned duties.

1.4 Workforce members who are not yet authorized, or whose access is pending, shall be supervised by an authorized workforce member when working in areas where ePHI is accessible.

2. WORKFORCE CLEARANCE PROCEDURE

2.1 Before granting access to ePHI, [PRACTICE NAME] shall determine that a workforce member's access is appropriate by: verifying the member's identity, confirming the member's role and job responsibilities, conducting a background check in accordance with [PRACTICE NAME]'s HR policies and applicable state law, and verifying that the member has completed required HIPAA training.

2.2 Background checks shall be conducted for all new hires and volunteers with access to ePHI. The scope of background checks shall comply with applicable state and federal employment laws.

2.3 The clearance determination shall be documented and retained in the workforce member's file.

3. ROLE CHANGES

3.1 When a workforce member changes roles within the organization, the member's supervisor shall submit an updated Access Authorization Form reflecting the new role's access requirements.

3.2 Access that is no longer necessary for the new role shall be revoked within [NUMBER] business days of the role change effective date.

4. TERMINATION PROCEDURES

4.1 Upon voluntary or involuntary separation, the following actions shall be completed on or before the workforce member's last day: - Deactivate all user accounts on ePHI systems (EHR, PM, email, patient portal, VPN, cloud services) - Disable remote access capabilities - Collect all practice-issued devices (laptops, phones, tablets, USB drives, badges, keys) - Change shared passwords or access codes that the departing member knew - Remove the member from physical access lists (door codes, key card access) - Disable voicemail access

4.2 The Security Officer or IT Manager shall confirm completion of all termination steps using the Termination Access Revocation Checklist within [NUMBER] business days.

4.3 If a workforce member is terminated for cause (especially for HIPAA violations), access shall be revoked immediately, concurrent with the termination notification.

5. DOCUMENTATION

5.1 Maintain records of all access authorizations, clearance determinations, role changes, and termination actions for a minimum of six (6) years from the date of creation or the date when last in effect, whichever is later, per 45 CFR § 164.316(b)(2)(i).

6. Roles & Responsibilities

Security Officer ([SECURITY OFFICER NAME]): Reviews and approves access authorization requests. Maintains the master access authorization log. Coordinates with IT to provision and revoke access. Conducts periodic access reviews to verify that current access levels remain appropriate.

Privacy Officer ([PRIVACY OFFICER NAME]): Ensures access authorizations align with minimum necessary requirements. Participates in clearance determinations for roles with access to sensitive PHI.

Supervisors/Managers: Submit access authorization forms for their direct reports. Notify the Security Officer of role changes and separations promptly. Supervise unauthorized or pending workforce members in ePHI areas.

HR Manager ([HR CONTACT NAME]): Coordinates background checks. Notifies the Security Officer of all new hires, role changes, and separations. Retains clearance and sanction documentation.

IT Manager/Vendor ([IT CONTACT NAME]): Provisions and revokes system access per approved authorization forms. Confirms completion of termination access revocation steps.

All Workforce Members: Use only the access they have been authorized. Report any suspected unauthorized access to the Security Officer.

7. Review Schedule

This policy shall be reviewed at least annually. Additionally, the Security Officer shall conduct a quarterly review of current access authorizations against the active workforce roster to identify and remediate any discrepancies (e.g., active accounts for separated employees, excessive access for current employees).

8. Regulatory References

45 CFR § 164.308(a)(3)(i) — Workforce security (Required) 45 CFR § 164.308(a)(3)(ii)(A) — Authorization and/or supervision (Addressable) 45 CFR § 164.308(a)(3)(ii)(B) — Workforce clearance procedure (Addressable) 45 CFR § 164.308(a)(3)(ii)(C) — Termination procedures (Addressable) 45 CFR § 164.312(a)(1) — Access control (Required) 45 CFR § 164.502(b) — Minimum necessary standard 45 CFR § 164.316(b)(2)(i) — Security Rule documentation retention (6 years)