Risk: Lack of roles delegation
Explanation: Your business associates or workforce members can, knowingly or unknowingly, access the confidential ePHI if your practice doesn’t clearly define, along logical lines, the roles and responsibilities allocated to each member. This is important as this will ensure that no member has too much authority and makes decisions on his own that can access critical and confidential systems and information.
Let’s explain this by a simple example. Say one of your workplace members is responsible to review the access logs. Due to your practice’s poor role delegation, the same person is also responsible for updating patient records. In this scenario, that member is essentially left to monitor his own access to ePHI, facilities and systems. This can result in unauthorized access attempts by the same member to your practice’s ePHI.
Mitigation: Some important safeguards that may help solve this issue may include:
- Implementing procedures and policies ensuring that all the workforce members have appropriate access to ePHI and no member gets too much authority.
- Assigning a senior level manager who authorizes operations before commencing.
- Assigning different duties to the workforce members.
- Developing and distributing among your workplace members a work control policy that explains to the members things like their roles, degree of coordination between members, their responsibilities, compliance requirements and so on.
Success Criteria: Decrease in the incidence of security breaches from within the organization.