Human resource security
MedStack Confidential
Metadata
- responsible officer: CTO
- approved by: CTO
- date
- effective: 2018-06-20
- revised: 2020-08-05
- reviewed: 2022-08-31
Screen employees prior to hiring
- Responsible party: Hiring manager
- Clearance
- Check three professional references
- Perform a criminal record check
- Document into a clearance file
- Purpose
- Ensure that persons with serious criminal records or histories of financial or legal difficulties do not have inappropriate access to PHI.
| Code | Section | Title |
|---|---|---|
| ISO | A.7.1.1 | Screening |
| HIPAA | 164.308(a)(3)(ii)(B) | Workforce clearance procedure (Addressable) |
| CHI | SR13 | Verifying the identity of users |
| SOC2 | CC1.4 | COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. |
Workforce contracts
- Include language in workforce contracts regarding
- responsibilities for information security
- that they are responsible for following these policies and procedures
- termination of access and return of assets
| Code | Section | Title |
|---|---|---|
| ISO | A.7.1.2 | Terms and conditions of employment |
| CHI | SR11 | Addressing user responsiblities in job descriptions |
| CHI | SR12 | Addressing user responsibillities in Terms of Employment |
| SOC2 | CC2.2 | COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. |
Authorize minimum necessary access to PHI
- Authorize the appropriate level of access to PHI to all members of the workforce.
- Base authorization on the nature and duties of the employee’s job.
- Immediately modify authorization when the nature of their job changes and requires a different level of access, whether greater or lesser.
| Code | Section | Title |
|---|---|---|
| HIPAA | 164.308(a)(3)(ii)(A) | Authorization and/or supervision (Addressable) |
Terminate employee authorization
- when their employment relationship with our organization ends
- when the employee has been sanctioned, as appropriate
- immediately (with no more than one hour delay) upon the occurrence of a triggering event
| Code | Section | Title |
|---|---|---|
| ISO | A.7.3.1 | Termination or change of employment responsibilities |
| HIPAA | 164.308(a)(3)(ii)(C) | Termination procedures (Addressable) |
Upon termination, require return of all physical assets
| Code | Section | Title |
|---|---|---|
| ISO | A.8.1.4 | Return of assets |
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title |
|---|---|---|
| ISO | A.7 | Human resource security |
| ISO | A.7.1 | Prior to employment |
| ISO | A.7.3 | Termination and change of employment |
| HIPAA | 164.308(a)(3) | Standard: Workforce security |
| SOC2 | CC2.3 | COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control. |
| SOC2 | CC8.1 | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. |
| SOC2 | CC9.2 | The entity assesses and manages risks associated with vendors and business partners. |