19. Employees Policy
W2H is committed to ensuring all workforce members actively address security and compliance in their roles at W2H. As such, training is imperative to assuring an understanding of current best practices, the different types and sensitivities of data, and the sanctions associated with non-compliance.
19.1 Applicable Standards
19.1.1 Applicable Standards from the HITRUST Common Security Framework
- 02.e - Information Security Awareness, Education, and Training
- 06.e - Prevention of Misuse of Information Assets
- 07.c - Acceptable Use of Assets
- 09.j - Controls Against Malicious Code
- 01.y - Teleworking
19.1.2 Applicable Standards from the HIPAA Security Rule
- 164.308(a)(5)(i) - Security Awareness and Training
19.2 Pre-Employment Policies
- The Penn Medicine Human Resources department will subject all workforce members of the health system to pre-employment screening, which may include background investigations. Background investigations may include, but are not limited to:
- Character references
- Confirmation of claimed academic and professional qualifications
- Professional license validation
- Credit check
- Criminal background check
- Office of the Inspector General (OIG) database check
19.3 Employment Policies
- All new workforce members, including contractors, are given training on security policies and procedures, including operations security, within 30 days of employment.
- Records of training are kept for all workforce members.
- Current W2H training is offered via Penn Medicine or the University Of Pennsylvania employee training services.
- Employees must complete this training before accessing production systems containing ePHI.
- All workforce members are granted access to formal organizational policies, which include the sanction policy for security violations.
- The Penn Medicine or the University Of Pennsylvania Employee policies clearly states the responsibilities and acceptable behavior regarding information system usage, including rules for email, Internet, mobile devices, and social media usage.
- The Human Resources department will emphasize secure and confidential information handling policies when introducing new individuals to Penn Medicine / School of Medicine. A copy of the Information Security policies will be made available to all new workforce members.
- Workforce members will acknowledge in writing that they understand their responsibilities as stated in the policies.
- W2H does not allow mobile devices to connect to any of its production networks.
- All workforce members are educated about the approved set of tools to be installed on workstations.
- All new workforce members are given HIPAA training within 30 days of beginning employment. Training includes HIPAA reporting requirements, including the ability to anonymously report security incidents, and the levels of compliance and obligations for W2H and its Customers and Partners.
- All remote (teleworking) workforce members are trained on the risks, the controls implemented, their responsibilities, and sanctions associated with violation of policies. Additionally, remote security is maintained through the use of VPN tunnels for all access to production systems with access to ePHI data.
- Employees may only use Penn Medicine or the University of Pennsylvania-purchased and -owned workstations for accessing production systems with access to ePHI data.
- Any workstations used to access production systems must be configured as prescribed in §7.8.
- PMACS monitors access and activities of all users on workstations and production systems in order to meet auditing policy requirements (§8) using JAMF tools.
- Access to internal W2H systems can be requested using the procedures outlined in §7.2. All requests for access must be granted by the W2H Security Officer or designated personnel.
- Request for modifications of access for any W2H employee can be made using the procedures outlined in §7.2.
- Employees are required to cooperate with federal and state investigations following Penn Medicine guidelines.
19.4 Issue Escalation
W2H workforce members are to escalate issues as described in HIPAA training.
Security incidents, particularly those involving ePHI, are handled using the process described in §11.2. If the incident involves a breach of ePHI, the Security Officer will manage the incident using the process described in §12.2. Refer to §11.2 for a list of sample items that can trigger W2H's incident response procedures; if you are unsure whether the issue is a security incident, contact the Security Officer immediately.