MedStack Technology Compliance Policies

Human resource security

Screen employees prior to hiring

  • Responsible party: Hiring manager
  • Clearance
    • Check three professional references
    • Perform a criminal record check
    • Document into a clearance file
  • Purpose
    • Ensure that persons with serious criminal records or histories of financial or legal difficulties do not have inappropriate access to PHI.
CodeSectionTitle
ISOA.7.1.1Screening
HIPAA164.308(a)(3)(ii)(B)Workforce clearance procedure
CHISR13Verifying the identity of users
SOC2CC1.4COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

Workforce contracts

  • Include language in workforce contracts regarding
    • responsibilities for information security
    • that they are responsible for following these policies and procedures
    • termination of access and return of assets
CodeSectionTitle
ISOA.7.1.2Terms and conditions of employment
CHISR11Addressing user responsiblities in job descriptions
CHISR12Addressing user responsibillities in Terms of Employment
SOC2CC2.2COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

Authorize minimum necessary access to PHI

  • Authorize the appropriate level of access to PHI to all members of the workforce.
  • Base authorization on the nature and duties of the employee’s job.
  • Immediately modify authorization when the nature of their job changes and requires a different level of access, whether greater or lesser.
CodeSectionTitle
HIPAA164.308(a)(3)(ii)(A)Workforce security

Terminate employee authorization

  • when their employment relationship with our organization ends
  • when the employee has been sanctioned, as appropriate
  • immediately (with no more than one hour delay) upon the occurrence of a triggering event
CodeSectionTitle
ISOA.7.3.1Termination or change of employment responsibilities
HIPAA164.308(a)(3)(ii)(C)Termination procedures

Upon termination, require return of all physical assets

CodeSectionTitle
ISOA.8.1.4Return of assets

Enforcement

  • Responsible party: All managers and supervisors
  • sanctions: standard

References

CodeSectionTitle
ISOA.7Human resource security
ISOA.7.1Prior to employment
ISOA.7.3Termination and change of employment
HIPAA164.308(a)(3)Workforce security
SOC2CC2.3COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2CC8.1The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2CC9.2The entity assesses and manages risks associated with vendors and business partners.