Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 2 - Workforce Security

 

Title: Designation of Security Official Policy: SEC-02.00
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(2)
Standard: Assigned Security Responsibility Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To identify the designated Security Official for CHS

Policy

Identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule for OSU.  §164.308(a)(2)

Procedure

Designation of a security official for OSU will be appointed by the HIPAA Steering Committee as required.  Official designation will be recorded in meeting minutes and identification/contact information for that official will be posted to the CHS Centernet HIPAA web page.


top of page top

 

Title: Authorization and/or Supervision Policy: SEC-02.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(3)(i)
Standard:Workforce Security Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To ensure employees have proper access to EPHI

Policy

OSU will implement procedures for the authorization and/or supervision of workforce members who work with electronic PHI or in locations where it might be accessed.  §164.308(a)(3)(i)

Procedure

All employee access to PHI has to be approved by the HIPAA Compliance Office.
All employees who have need to work with PHI as part of their official job duties, will have to request access to the PHI using the official EHR Account Request Form currently found on Centernet.
It is the Supervisor of the employee’s responsibility to ensure this request is made.
Access that is needed outside of the scope of the Account Request Form will need to be made in writing (Paper or Electronic) to the HIPAA Compliance Office for approval.

Reference

Policy SEC-04.02 Access Authorization


top of page top

 

Title: Workforce Clearance Policy: SEC-02.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(3)(ii)(B)
Standard:Workforce Security Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To provide proper authorization prior to giving employees access to EPHI

Policy

OSU will implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.  §164.308(a)(3)(ii)(B)

Procedure
  1. The HIPAA Compliance Officer or his/her designee will assign access to various fields of PHI based on minimum necessary standards.  The HIPAA Compliance Office will approve new employees and communicate minimum necessary requirements to I.T. technical staff.
  2. All OSU Staff will have signed the approved Confidentiality agreement upon hire and before work is to begin.  The signed form will be put in the employee’s file in Human Resources.
  3. The Supervisor of the employee needing access to electronic PHI will submit a completed EHR Account Request Form to the HIPAA Compliance Office with the signature of the Supervisor and the employee.
  4. Upon receipt of the signed request form the HIPAA Compliance Office will approve the request if the security requested is deemed appropriate for the type of job held by the employee, or deny the request if missing information, or is deemed not an appropriate level of access for the type of job held by the employee.
  5. All requests to access PHI outside of the scope of the EHR Account Request Form are to be made in writing, either on paper or electronically to the HIPAA Compliance Office for review.
  6. The only Authorized individuals to approve access to electronic PHI is the HIPAA Compliance Officer or his/her designee(s).
  7. Employees who knowingly or unknowingly bypass the procedure described in this policy will face sanctions as defined in the Sanctions Policy (SEC-01.03).

top of page top

 

Title: Termination Procedures Policy: SEC-02.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(3)(ii)(C)
Standard: Workforce Security Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To ensure that all PHI is protected as required by HIPAA Privacy and Security rules, OSU is establishing what must occur when an employee no longer works for OSU.

Policy

OSU will implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in the Workforce Clearance Policy (SEC-02.02).  §164.308(a)(3)(ii)(C)

All employees who separate from OSU are required to turn in all tools of access to buildings and other areas during the exit interview or as otherwise arranged.  All access to electronic devices and computer media will be disabled immediately.
Procedure
  1. Supervisors will notify the Office of Human Resources regarding employee separation within 24 hours for voluntary separation.  Notification will be immediate when separation is involuntary.  The supervisor will follow the Employee Separation Procedure as dictated by the Office of Human Resources.
  2. Supervisors will notify the HIPAA Compliance Office, OSU I.T. and OSU Security/Campus Police upon notice that an employee will be separating from the institution whether it be voluntary or involuntary.  The supervisor will follow the Employee Separation Procedure as dictated by the Office of Human Resources.
Reference

Human Resources Employee Separation Procedures
Employee Termination Checklist


top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube