HIPAA Human Resource Security
It is important to build security into the entire Human Resource (HR) process, from pre-employment, during employment, and through termination, to ensure that policies and procedures are in place to address security issues. Consistent training throughout the entire process ensures that employees and contractors are fully aware of their roles and responsibilities and understand the criticality of their actions in protecting and securing both information and facilities.
Questions to Consider:
Are background checks performed of all employees, contractors and third parties?
The workforce clearance procedure reviews whether criminal background checks are performed on potential job candidates.
Does background checks include any of the following?
The employee clearance procedure reviews whether criminal background checks are performed on potential job candidates
- Credit Check
- Criminal history
- Previous employment
- Employment references
- Education/Certification verification
Does new employees receive information security awareness training as part of the induction process?
Information security awareness training is crucial to ensure employees understand how to respond to security threats or address HIPAA requirements. Staff members need to be trained on how to fulfill their roles while not breaching HIPAA policies. Employee training can be conducted in a variety of ways and should include a written agreement or certificate upon the conclusion of the training.
Does employees receive ongoing information security training?
Does organizations promptly remove physical and logical access for terminated employees, contractors and third party users?
As part of on-boarding and termination process, organizations should create new hire and termination checklists. This practice ensures terminated employees cannot access sensitive data.
A few items to include on these checklists:
- Computer Equipment
- Enable/Disable Login Accounts
- Office Keys
- Safe combinations
Does employees, contractors and third party users required to return all company assets on termination?