509-867-3645
Register
All Company Policies

03-Workforce Security

Approved by: William Voss Effective: April 1, 2024
Review: Annual Revised:
Renewed By: Renewed:

Workforce Security

Policy Statement

It is the policy of River City TMS, PLLC to ensure that all members of the workforce who should have access to ePHI have the appropriate level of access required to operate at a privilege level no higher than necessary to accomplish required job duties, to prevent those who should not have access to ePHI from obtaining it, and to ensure that access to ePHI is terminated when employment is terminated.

Procedure

  • Authorization & Supervision §164.308(a)(3)(ii)(A)

    The Security Officer shall have the authorization and/or supervisory permission to approve access to information systems and/or locations where ePHI may be accessed. Since the Office Manager is the person who most closely recognizes a workforce member's need to access data, requests for access to information systems shall be submitted by the Office Manager using the Network Access Request form (Appendix D) and the Hiring and Term Checklist (Appendix F). The workforce member’s access to data shall be granted only as specifically requested and according to the appropriate level required for job duties. The Network Access Request form shall be signed by the Office Manager and the Security Officer or appropriate personnel. 

  • Workforce Clearance §164.308(a)(3)(ii)(B)
    • Employee Background Checks

      River City TMS, PLLC will conduct reference checks, investigative consumer reports, and background investigations on all workforce members prior to authorizing access to ePHI and may use a third party to conduct these background checks. River City TMS, PLLC will conduct background checks in compliance with the federal Fair Credit Reporting Act (FCRA), the Americans with Disabilities Act (ADA), and all other applicable local, state, and federal laws and regulations. River City TMS, PLLC will obtain written consent from workforce members using the Background Check Authorization form (Appendix E) prior to ordering reports from third-party providers, and will provide a description of applicant and workforce member rights and all other documentation as required by law to each workforce member in accordance with FCRA and applicable state and federal statutes. All background checks are subject to these notice and consent requirements.

      The type of information that will be collected by River City TMS, PLLC in background checks may include, but is not limited to, some or all of the following: 

      • Private and government agency reports related to any history of criminal, dishonest, or violent behavior, and other reports that relate to suitability for employment 
      • Education (including degrees awarded and GPA) 
      • Employment history, abilities, and reasons for termination of employment 
      • Professional licensing board reports
      • Address history 
      • Credit reports 
      • Social security number scans 
      • Civil court filings 
      • Motor vehicle and driving records 
      • Professional or personal references
      • I-9 Form (Employment Eligibility & Verification) 

      This information may also be sought out at other times, such as during reassignment or promotional periods, and following safety infractions or other incidents. 

      River City TMS, PLLC reserves the right to withdraw ePHI access to any workforce member upon finding falsification, misrepresentation, or omission of fact on a workforce member application, resume, or other attachments, as well as in verbal statements, regardless of when it is discovered. 

      Background check reports may be maintained in separate, confidential files and retained in accordance with River City TMS, PLLC document retention procedures.

    • Termination Procedures §164.308(a)(3)(ii)(C)
      • Termination of User Logon Account

        Upon termination of a workforce member, independent contractor, or other business associate, whether voluntary or involuntary, the Office Manager shall promptly notify the Security Officer by indicating “Remove Access” on the workforce member’s Network Access Request Form (Appendix D). If the workforce member’s termination is voluntary and the workforce member provides notice, the Office Manager shall promptly notify the Security Officer of the workforce member’s last scheduled workday so that the user account(s) can be configured to expire. If the workforce member’s termination is involuntary, the Office Manager shall promptly notify the Security Officer so that the user account(s) can be closed immediately.  The Office Manager shall be responsible for ensuring that all keys, ID badges, and other access devices as well as River City TMS, PLLC equipment and property are returned to River City TMS, PLLC prior to the workforce member leaving River City TMS, PLLC on the final day of the need for access. Exit interviews shall include a discussion of privacy and security topics regarding ePHI.

      • Change in Access Level

        Pursuant to job description changes that necessitate more or less access to ePHI, the Office Manager shall promptly notify the Security Officer by indicating the change in access on the workforce member’s Network Access Request Form (Appendix D).

        The Security Officer or the designee will periodically review active user accounts for both network and application access, including access to the clinical electronic health record (“EHR”) and the practice management system (“PMS”).

    • Confidentiality Agreement §164.308(a)(4)(i)

      Users of River City TMS, PLLC information resources shall sign, as a condition for employment, an appropriate confidentiality agreement (Appendix C). The agreement shall include the following statement, or a paraphrase of it:

      I understand that any unauthorized use or disclosure of information residing on River City TMS, PLLC information resource systems may result in disciplinary action consistent with the policies and procedures of federal, state, and local agencies.

      Temporary workers and third-party workforce members not already covered by a confidentiality agreement shall sign such a document prior to accessing River City TMS, PLLC information resources. 

      Confidentiality agreements shall be reviewed when there are changes to contracts or other terms of employment, particularly when contracts are ending or workforce members are leaving River City TMS, PLLC.