Are you concerned about the policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information?
- Are there existing procedures for determining that the appropriate workforce members have access to the necessary information?
- Are the procedures used consistently within the organization when determining access of related workforce job functions?
- Do the termination policies and procedures assign responsibility for removing information system and/or physical access?
- Do the policies and procedures include timely communication of termination actions to insure that the termination procedures are appropriately followed?
Information Access Management
Is your organization facing challenge to implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements?
- Does the larger organization perform health care clearinghouse functions?
- If health care clearinghouse functions are performed, are policies and procedures implemented to protect EPHI from the other functions of the larger organization?
- Are additional technical safeguards needed to separate EPHI in information systems, used by the health care clearinghouse, to protect against unauthorized access by the larger organization?
- Are policies and procedures in place for establishing access and modifying access?
- Are system access policies and procedures documented and updated as necessary?
- Do members of management or other workforce members periodically review the list of persons with access to EPHI to ensure they are valid and consistent with those authorized?
- How often should an evaluation be done? For example, are additional evaluations performed if security incidents are identified, changes are made in the organization, or new technology is implemented?
- Is an internal or external evaluation, or a combination of both, most appropriate for the covered entity?
- Are periodic evaluation reports and the supporting material considered in the analysis, recommendations, and subsequent changes fully documented?
Is your organization still facing challenges with policies and procedures for creating, changing, and safeguarding passwords?
- Are there policies in place that prevent workforce members from sharing passwords with others?
- Is the workforce advised to commit their passwords to memory?
- Are common sense precautions taken, such as not writing passwords down and leaving them in areas that are visible or accessible to others?
- Does each workforce member have a unique user identifier?
- What is the current format used for unique user identification?
- Can the unique user identifier be used to track user activity within information systems that contain EPHI?
- Who needs access to the EPHI in the event of an emergency?
- Are there policies and procedures in place to provide appropriate access to EPHI in emergency situations?
Do you have procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information?