First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... ·...

62
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 1 "Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets." - Hippocratic Oath, 4 th Century, B.C.E. Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance First HIPAA Policy & Procedures Author

Transcript of First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... ·...

Page 1: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

1

"Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets."

- Hippocratic Oath, 4th Century, B.C.E.

Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance

First HIPAA Policy & Procedures Author

Page 2: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

How to Develop Your HIPAA-HITECH Policies

and Procedures

November 8, 2012

2

Bob Chaput, MA, CISSP, CIPP/US, CHP, CHSS, MCSE 615-656-4299 or 800-704-3394 [email protected] Clearwater Compliance LLC

Page 3: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Bob Chaput, MA CISSP, CIPP/US, CHP, CHSS

3

• President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Legal

• Member: NMGMA, HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, Chambers, Boards

http://www.linkedin.com/in/BobChaput

Page 4: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Our Passion

4

… And, keeping those same

organizations off the Wall of

Shame…!

…we’re helping

organizations

safeguard the very

personal and

private healthcare

information of

millions of fellow

Americans…

We’re excited about

what we do

because…

Page 5: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

December 6, 2012 | Ft. Lauderdale, FL February 21, 2013 | Washington DC

March 21, 2013 | San Diego CA Clearwater HIPAA Audit Prep BootCamp™

Take Your

HIPAA

Compliance

Program to a

Better Place,

Faster

Page 6: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

6

Mary Chaput, MBA, CIPP/US

CFO & Chief Compliance Officer

Clearwater Compliance

Bob Chaput, CISSP, CIPP/US CHP, CHSS

CEO

Clearwater Compliance

Expert Instructors

James C. Pyles

Principal

Powers Pyles Sutter & Verville PC

David Andrews, CPA, MS, MA

SVP and Chief Compliance Officer

Hospice Compassus

Page 7: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Poll #1 – Best Medium for You?

7

Page 8: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

3. Complete a Privacy Rule compliance assessment (45 CFR §164.530)

4. Complete a Breach Rule compliance assessment (45 CFR §164.400)

5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))

6. Develop comprehensive HIPAA Privacy and Security

and Breach Notification Policies & Procedures (45 CFR §164.530,

45 CFR §164.316 and 45 CFR §164.414 )

7. Document and act upon a corrective action plan

7 Actions to Take Now

8

1. Privacy and Security Risk

Management & Governance

Program (45 CFR § 164.308(a)(1))

2. Complete a HIPAA Security

Evaluation (45 CFR § 164.308(a)(8))

Demonstrate Good Faith Effort!

Page 9: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

1. Case for Action

2. Learn Explicit Requirements

3. Get Started With Practical, Actionable Next

Steps

Session Objectives

9

Page 10: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Mega Session Objective

Help You Understand

that Policies and

Procedures are a crucial

part of HIPAA and

HITECH compliance!...

And how to develop

them!

10

Page 11: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

CAP Requirement MEEI CVS

Rite-Aid

BCBS TN

Mass General Hospital

Phoenix Cardiac Surgery

UCLA

AK DHSS

Establish a Comprehensive Information Security Program x

Designate an accountable Security Owner x x Develop and maintain privacy and security policies and procedures to comply with Federal standards x x x x x x x Distribute and update policies and procedures x x x x x x x Procedures to include responding to security incidents x x x x x x x Implement training with certifications and sanctions for non-compliance x x x x x x x

Conduct a Risk Analysis and a Risk Management Process x x x x x x x x Design and Implement Reasonable Administrative, Physical and Technical Safeguards to control risks x x x x x x x x Develop and use reasonable steps to select and retain service providers x Evaluate and adjust Security Program in light of testing and monitoring and material changes to the environment x x x x x x x x Obtain assessments from qualified objective independent 3rd party x x x x x x x x

Retain required documentation x x x x x x x x 11

OCR Corrective Action Plans

Page 12: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

“The protocol should be a comprehensive

methodology, serving as a single source of audit

criteria, assessment methods, and procedures

for the conduct of the HIPAA privacy and security

compliance audits, reflecting the specific

requirements that apply to each of the three

types of covered entities; covered healthcare

providers, health plans and health care

clearinghouses.

KPMG Contract Language1

12 1Task Order: HHSP233201100252G

Contract: GS-3F-8127H Page 6 of 26

The protocol should assess whether such entities have, consistent with

these regulations, comprehensive policies and procedures to address

critical requirements to which the entity is subject and to determine whether

routine operations implement these policies and procedures

consistently with the Rules.

The audit protocol should provide for comprehensive assessment of

policies, procedures, practices, systems, operations and Infrastructure.”

Page 13: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Evaluation Audit Protocols

13

Audit Procedures Inquire of management as to whether policy and procedures exist to ensure an evaluation considers all

elements of the HIPAA Security Rule. Obtain and review policy and procedures used and evaluate the

content in relation to the specified criteria. Determine if the process has been approved and updated on

a periodic basis as required.

Established Performance

Criteria §164.308(a)(8) Evaluation - Perform a periodic

technical and nontechnical evaluation, based

initially upon the standards implemented under

this rule and subsequently, in response to

environmental or operational changes affecting

the security of electronic protected health

information, which establishes the extent to which

an entity's security policies and procedures meet

the requirements of this subpart.

Key Activity Develop Standards and Measurements for

Reviewing All Standards and Implementation

Specifications of the Security Rule

Audit Procedures 1. Inquire of management as to whether policy and

procedures exist to ensure an evaluation considers all

elements of the HIPAA Security Rule.

2. Obtain and review policy and procedures used and

evaluate the content in relation to the specified criteria.

3. Determine if the process has been approved and

updated on a periodic basis as required.

Page 14: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Evaluation Audit Protocols

14

Audit Procedures Inquire of management as to whether policy and procedures exist to ensure all necessary information

needed to conduct an evaluation is obtained and documented in advance. Obtain and review the

evaluation process in place in relation to the specified criteria. Determine if the policy and procedures

have been approved and updated on a periodic basis.

Established Performance

Criteria §164.308(a)(8) Evaluation - Perform a periodic technical

and nontechnical evaluation, based initially upon the

standards implemented under this rule and subsequently, in

response to environmental or operational changes affecting

the security of electronic protected health information,

which establishes the extent to which an entity's security

policies and procedures meet the requirements of this

subpart.

Key Activity Conduct Evaluation

Audit Procedures 1. Inquire of management as to whether policy and

procedures exist to ensure all necessary information

needed to conduct an evaluation is obtained and

documented in advance.

2. Obtain and review the evaluation process in place in

relation to the specified criteria.

3. Determine if the policy and procedures have been

approved and updated on a periodic basis.

Page 15: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Evaluation Audit Protocols

15

Audit Procedures Inquire of management as to whether formal or informal policy and procedures exist to document the

evaluation of findings, remediation options and recommendations, and remediation decisions. Obtain

and review formal or informal policy and procedures used to document the evaluation of findings,

remediation options and recommendations, and remediation decisions in relation to the specified

criteria. Determine if written reports of findings are reviewed and approved.

Established Performance

Criteria §164.308(a)(8) Evaluation - Perform a periodic

technical and nontechnical evaluation, based initially

upon the standards implemented under this rule and

subsequently, in response to environmental or

operational changes affecting the security of

electronic protected health information, which

establishes the extent to which an entity's security

policies and procedures meet the requirements of

this subpart.

Key Activity Document Results

Audit Procedures 1. Inquire of management as to whether formal or informal

policy and procedures exist to document the evaluation

of findings, remediation options and recommendations,

and remediation decisions.

2. Obtain and review formal or informal policy and

procedures used to document the evaluation of findings,

remediation options and recommendations, and

remediation decisions in relation to the specified criteria.

3. Determine if written reports of findings are reviewed and

approved.

Page 16: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Evaluation Audit Protocols

16

Audit Procedures Inquire of management as to whether formal or informal policy and procedures exist to document the

evaluation of findings, remediation options and recommendations, and remediation decisions. Obtain

and review formal or informal policy and procedures used to document the evaluation of findings,

remediation options and recommendations, and remediation decisions in relation to the specified

criteria. Determine if written reports of findings are reviewed and approved.

Established Performance

Criteria §164.308(a)(8) Evaluation - Perform a periodic technical

and nontechnical evaluation, based initially upon the

standards implemented under this rule and subsequently, in

response to environmental or operational changes affecting

the security of electronic protected health information,

which establishes the extent to which an entity's security

policies and procedures meet the requirements of this

subpart.

Key Activity Repeat Evaluations Periodically

Audit Procedures 1. Inquire of management as to whether formal or informal

security policies and procedures specify that evaluations

will be repeated when environmental and operational

changes are made that affect the security of ePHI.

2. Obtain and review the entity's formal or informal security

policies and procedures and evaluate the content in

relation to the specified criteria to determine the process

for repeat evaluations.

3. Determine if formal or informal security policies and

procedures are reviewed on a periodic basis.

Page 17: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Key PnP Audit Items

17

1. Inquire of management as to

whether formal or informal

policy and procedures exist

2. Obtain and review formal or

informal policy and procedures

3. Evaluate the content in

relation to the specified

performance

4. Determine if the covered

entity's formal or informal

policy and procedures have

been approved and updated

on a periodic basis.

Page 18: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Poll #2 – Privacy PnPs?

18

Page 19: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Policies & Procedures Study • Majority of respondents admit to serious non-compliant

workplace behaviors that place their companies at risk.

• 69% of employees said that they copy confidential or

sensitive business information onto USB devices,

• 61% admitted to copying confidential or sensitive business

information onto USB devices, and then transferring the

information to another computer that is not part of the

corporate network.

• Over 50% said that they download personal Internet

software

• 58% said that their companies do not provide adequate

training about compliance with data security policies, and

about the same number said the data security policies are

ineffective.

• About 50% said their corporate data security policies are

largely ignored

• Compared with a similar study conducted by Ponemon

Institute in 2007, the rate of non-compliant employee

behavior appears to be getting worse over time. 19

Trends in Insider Compliance with

Data Security

Policies: Employees Evade

and Ignore Security

Policies is a survey of U.S.-based end-

users of corporate

information technologies. Results

were derived from

967 responses from a sampling frame of

17,021 (5.7%

response rate).

Page 20: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

1. Case for Action

2. Learn Explicit Requirements

3. Get Started With Practical, Actionable Next

Steps

Session Objectives

20

Page 21: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Three Pillars of HIPAA-HITECH Compliance…

21

Pri

va

cy

Sec

uri

ty

Bre

ach

No

tifi

cati

on

… …

HITECH

HIPAA

Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation

Specs

Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 54 “dense”

Implementation Specs

Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation

Specs

Page 22: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Balanced Compliance Program

Policy defines an

organization’s values & expected behaviors; establishes “good faith” intent

People must include

talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues

Procedures or

process provide the actions required to deliver on

organization’s values

Technology includes the various families of technical security controls

including encryption, firewalls, antivirus, intrusion

detection, AND Incident management tools

Balanced

Compliance

Program

Today’s Focus: Policies and Procedures

Page 23: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Administrative Requirements

23

• Privacy & Security Official

• Policies & Procedures

• Training

• Safeguards

• Complaint Process

• Sanctions

Page 24: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

45 C.F.R. §164.316(a)

Standard: Policies and Procedures. (a)

Implement reasonable and appropriate policies

and procedures to comply with the standards,

implementation specifications, or other

requirements of this subpart, taking into account

those factors specified in Sec. 164.306(b)(2)(i),

(ii), (iii), and (iv). This standard is not to be

construed to permit or excuse an action that

violates any other standard, implementation

specification, or other requirements of this

subpart. A covered entity may change its policies

and procedures at any time, provided that the

changes are documented and are implemented

in accordance with this subpart. 24

It’s Federal Regulation - Security

Page 25: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

45 C.F.R. §164.316(b)(1)

Standard: Documentation. (i) Maintain the policies and procedures implemented to

comply with this subpart in written (which may be

electronic) form; and

(ii) If an action, activity or assessment is required by this

subpart to be documented, maintain a written (which may

be electronic) record of the action, activity, or assessment.

(2) Implementation specifications: (i) Time limit (Required). Retain the documentation required by

paragraph (b)(1) of this section for 6 years from the date of its

creation or the date when it last was in effect, whichever is later.

(ii) Availability (Required). Make documentation available to those

persons responsible for implementing the procedures to which the

documentation pertains.

(iii) Updates (Required). Review documentation periodically, and

update as needed, in response to environmental or operational

changes affecting the security of the electronic protected health

information.

25

It’s Federal Regulation - Security

Page 26: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

45 C.F.R. §164.500(i) (1) Standard: Policies and Procedures.

A covered entity must implement policies and procedures with

respect to protected health information that are designed to

comply with the standards, implementation specifications, or other

requirements of this subpart and subpart D of this part. The

policies and procedures must be reasonably designed, taking into

account the size and the type of activities that relate to protected

health information undertaken by a covered entity, to ensure such

compliance. This standard is not to be construed to permit or

excuse an action that violates any other standard, implementation

specification, or other requirement of this subpart.

(2) Standard: Changes to policies and procedures.

(i) A covered entity must change its policies and procedures as

necessary and appropriate to comply with changes in the law,

including the standards, requirements, and implementation

specifications of this subpart or subpart D of this part.

etc… 26

It’s Federal Regulation - Privacy

Page 27: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

45 C.F.R. §164.414 Administrative requirements and burden of proof.

Administrative requirements. A covered entity is

required to comply with the administrative requirements

of §164.530(b), (d), (e), (g), (h), (i), and (j) with

respect to the requirements of this subpart.*

27

It’s Federal Regulation - Breach

Page 28: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Forget the law… why PnPs?

28

1. Articulate your values and

behavior as an organization

2. Set the stage for needed

tools, processes and defense

3. Key components of a

Balanced Security Program

Page 29: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Poll #3 – Security PnPs?

29

Page 30: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

1. Case for Action

2. Learn Explicit Requirements

3. Get Started With Practical, Actionable Next

Steps

Session Objectives

30

Page 31: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Policies & Procedures Basic Construction

• Policy #

• Policy Title

• Approved by and date

• Revision Dates

• Purpose –describe why and/or when

• Regulatory Reference

• Overarching Policy

• Who must comply

• Sanctions for non-compliance

• Definitions

• Cross-referenced other Policies and Procedures or SOPs

• Detailed Procedures

• Documentation Requirements

• Tie them to the Regulatory Authority 31

1. Who is covered?

2. What is covered?

3. What’s required or prohibited?

4. Who enforces?

5. What happens if I don't comply?

6. Why does this PnP exist?

Page 32: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

32

Page 33: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

33

Page 34: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

34

Page 35: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

35

Page 36: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

36

Page 37: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

37

1 Privacy Office Assignment and Responsibilities

2 Privacy Training Requirements

3 Minimum Necessary Uses, Disclosures and Requests

4 Reporting Violations, Sanctions and Mitigation

5 Required Disclosures

6 Request for Health Record

7 Amendment of Health Information

8 Accounting of Disclosures

9 Authorization to Use or Disclose PHI

10 Uses By and Disclosures to Subcontractors and Third Parties

11 De-Identification of Health Information

12 Uses and Disclosures of Limited Data Sets

13 Requests for Restrictions on Uses and Disclosures

14 Requests for Confidential Information

15 Reporting Impermissible Uses and Disclosures

16 Reporting and Responding to Privacy Complaints

17 No Retaliation or Waiver

18 Data Safeguards

19 Authorized Disclosures

20 Personal Representatives

21 Disclosures to Family, Caregivers and Friends

23 Disclosures to Program Participants with Mental Incapacities

24 Communications with Minor Program Participants

25 Permission to Leave Messages with PHI

26 Uses and Disclosures for Treatment Purposes

27 Uses and Disclosures for Health Care Operations

28 Uses and Disclosures for Marketing

29 Uses and Disclosures of Limited Data Sets

30 Uses and Disclosures for Court Orders

31 Uses and Disclosures Required by Law

32 Uses and Disclosures for Law Enforcement

33 Urgent Situations

34 Emergent Situations

35 Disclosure for Suspected or Confirmed Abuse, Domestic Violence

36 De-Identification of Health Information

37 Compliance for Site Tours

38 Obligation to Protect Colleague health Information

39 Verification of Identity Prior to Disclosure

Cross-Walk your Policies & Procedures to the Regulations

Page 38: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

38

Systematic, Sustainable Programmatic Approach:

Reenergize and operationalize your HIPAA-HITECH Compliance Program

Must Operationalize Compliance

Develop /

Revise

PnPs

Implement &

Train

Remediate

Audit

Practice to

PnPs

Page 39: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Poll #4 – Breach Notification PnPs?

39

Page 40: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

11 Steps to Develop HIPAA Policies and Procedures

40

1. Form a Cross-Functional Policy

Development Task Force

2. Set Business Risk Management Goals

3. Get Educated – Learn the Regulatory

Requirements / and the Consequences

4. Design your Outline / Standard Template

5. Determine Specific Policies That Are Required

6. Evaluate Alternatives: “Build vs. Buy”

7. Create a Project Plan for Development / Divide and Conquer

8. Build a Change Management / Communications Subproject

9. Create Review-Revise-Approve-Communication Process

10.Integrate into Colleague On-Boarding and Ongoing Training

11.Establish Maintenance Process to Stay Current

Page 41: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Essential Elements of Good

Policies & Procedures

41

Page 42: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

How Our HIPAA-HITECH Policy and Procedure Templates Were Designed

42

1. Detailed readings of the HIPAA

Privacy, Security and HITECH

Breach Rules

2. Cross-Referencing of HIPAA Security

Final Rule and NIST SP 800-66

3. Assured traceability back to

Standards in 45 CFR 164 Subpart C,

D and E

4. Empowered you to edit, combine and

tailor

Page 43: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Contents of the HIPAA Security Policy and Procedure ToolKit™

Enterprise Edition - $1,987.00

43

1. Fifty-seven (57) comprehensive HIPAA

Security Policies and Procedures templates

2. Complete traceability to HIPAA Security Final

Rule

3. Comprehensive HIPAA Security & Privacy

Glossary of Terms

4. 60 minutes of complimentary email,

telephone or web-meeting support

5. And, more…

Comprehensive HIPAA-HITECH Security

Policy and Procedure template set (plus:

Instructions, Glossary of Terms, Policies Checklist,

Resources & References)

Page 44: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Policies and Procedures for… Administrative Safeguards

44

Page 45: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Policies for… Physical Safeguards

45

Page 46: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Policies and Procedures for… Technical Safeguards, Policies and Procedures and Documentation

46

Total: 53 Core Policies and Procedures

Page 47: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Additional Policies and Procedures for…

47

Total: 4 Additional Policies and Procedures

Page 48: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Contents of the HIPAA Security Policy and Procedure ToolKit™

SMB Edition - $987.00

48

1. Nine (9) comprehensive HIPAA Security

Policies and Procedures templates

2. Complete traceability to HIPAA Security Final

Rule

3. Comprehensive HIPAA Security & Privacy

Glossary of Terms

4. 60 minutes of complimentary email,

telephone or web-meeting support

5. And, more…

Comprehensive HIPAA-HITECH Security

Policy and Procedure template set (plus:

Instructions, Glossary of Terms, Policies Checklist,

Resources & References)

Page 49: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Contents of the HIPAA Security Policy and Procedure ToolKit™

SMB Edition - $987.00

49

1. Security Management Process

2. Workforce Security

3. Security Awareness & Training

4. Facility Security

5. Workstation, Server and Device Security

6. Maintaining Confidentiality of ePHI

7. Maintaining Integrity of ePHI

8. Maintaining Availability of ePHI

9. Business Associate Contracts and Other

Arrangements

53 PnPs

9

Page 50: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

SMB Edition - HIPAA Security Policy and Procedure ToolKit™ EXAMPLE

50

1. Security Management Process

6. Assigned Security Responsibility

0. Security & Privacy Risk

Management Council

52. Policies and Procedures

53. Documentation

28. Evaluation

2. Risk Analysis

3. Risk Management

5. Information System Activity

Review

20. Security Incident Procedures

21. Response and Reporting

1. Security Management

Process

Page 51: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

High Value – High Impact

I. PREPARATION A. Plan / Gather B. Read Ahead C. Review Materials

II. ONSITE WORKSHOP A. Facilitate B. Educate C. Develop

III. FOLLOW UP SUPPORT A. Review B. Revise C. Recommend

51

N Days

HIPAA-HITECH Policies & Procedures Development WorkShop™

Page 52: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

52

Clearwater HIPAA Privacy Policy and Procedure Offerings

HIPAA Privacy and Breach Notification Policies and

Procedures: Covered Entity $1,987.00

HIPAA Privacy Policies and Procedures: Business

Associate (B2B) $987.00

HIPAA Privacy Policies and Procedures: Business

Associate (B2C) $1,487.00

• HIPAA Privacy and Breach Notification Policies and Procedures ToolKit™ for Covered Entities

• One-Time, Single Business Unit License

• HIPAA Privacy Policies and Procedures ToolKit™ for those Business Associates that handle only data

• One-Time, Single Business Unit License

• HIPAA Privacy Policies and Procedures ToolKit™ for those Business Associates that also interact with individuals

• One-Time, Single Business Unit License

INCLUDES: • Forty-four (44) comprehensive HIPAA

Privacy and Breach Notification Policies and Procedures templates

• Complete traceability to HIPAA Privacy Final Rule and Breach Notification IFR

• Comprehensive HIPAA Security & Privacy Glossary of Terms

• 60 minutes of complimentary email, telephone or web-meeting support

INCLUDES: • Eighteen (18) comprehensive HIPAA

Privacy Policies and Procedures templates

• Complete traceability to HIPAA Privacy Final Rule and Breach Notification IFR

• Comprehensive HIPAA Security & Privacy Glossary of Terms

• 60 minutes of complimentary email, telephone or web-meeting support

INCLUDES: • Forty-two(42) comprehensive HIPAA

Privacy Policies and Procedures templates

• Complete traceability to HIPAA Privacy Final Rule and Breach Notification IFR

• Comprehensive HIPAA Security & Privacy Glossary of Terms

• 60 minutes of complimentary email, telephone or web-meeting support

• Free Updates • Free Updates • Free Updates

• Available Ongoing Support • Available Ongoing Support • Available Ongoing Support

Page 53: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

53

Clearwater HIPAA Security Policy and Procedure Offerings

HIPAA Security Policies and Procedures: ENTERPRISE

$1,987.00

HIPAA Security Policies and Procedures: SMB

$987.00

HIPAA Security Policies and Procedures WorkShop™

Call for Pricing!

• HIPAA Security Policies and Procedures ToolKit™ One-Time, Single Business Unit License

• HIPAA Security Policies and Procedures ToolKit™ SMB Edition - One-Time, Single Business Unit License

• HIPAA Security Policies and Procedures WorkShop™

INCLUDES: • Fifty-seven (57) comprehensive

HIPAA Security Policies and Procedures templates

• Complete traceability to HIPAA Security Final Rule

• Comprehensive HIPAA Security & Privacy Glossary of Terms

• 60 minutes of complimentary email, telephone or web-meeting support

INCLUDES: • Nine (9) comprehensive HIPAA

Security Policies and Procedures templates

• Complete traceability to HIPAA Security Final Rule

• Comprehensive HIPAA Security & Privacy Glossary of Terms

• 60 minutes of complimentary email, telephone or web-meeting support

I. PREPARATION A. Plan / Gather B. Read Ahead C. Complete QuickScreen™

II. ONSITE ASSESSMENT A. Facilitate B. Educate C. Develop

III. FOLLOW UP SUPPORT A. Review B. Revise C. Recommend

• Free Updates • Free Updates • Free Updates

• Available Ongoing Support • Available Ongoing Support • Available Ongoing Support

Page 54: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Makes Decision to Move Forward A No-Brainer…

1. Save Thousands of Dollars in

Consulting Fees

2. Jump Start Development Project

3. Take Strategic High Road on Critical Risk Management Issue

Clear Return on Investment…

54

Peace of Mind

Page 55: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved 55

1. Huge Project; Get Started Now

Summary

2. Policies and Procedures are an

important part, but only part of a

balanced Security Program

3. Large or Small: Consider Getting

Help (Tools, Experts, etc)

Page 58: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Additional Information

58

Page 59: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

HIPAA OCR Audit Protocols

59

Mentions in Security Only

• “policy and procedures” – 27

• “policies and procedures” - 60

• “formal or informal” – 46

Page 60: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Additional Policies and Procedures for…

60

58.Acceptable Use Policy

59.Network Security Policy

60.Secure Application Development & Maintenance Policy

61.Database Security Policy

62.Remote Access Policy

63.Change Control Policy

64.Vulnerability Management Policy

65.Social Media Security Policy

66.Vendor Management (Security) Policy

67.Data Breach Notification Policy

Total: 4 Additional Policies and Procedures

Others: in our development pipeline

Page 61: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

Policies & Procedures Other Requirements • Make them available and accessible to

workforce members

• Review them periodically for completeness

and accuracy

• Review and update them as needed

following a security incident or a change in

regulations or a change in operations

(including organizational changes)

• Ensure they are reviewed and approved

before implementation

• Communicate and train on changes within

30 days of approval

• Maintain versioning control

• Maintain all documentation

61

Page 62: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” – outside Legal Counsel, national research consortium

"The HIPAA Security Assessment ToolKit™ and WorkShop™ are a

comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization

What Our Customers Say…

62

“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization

“…the process of going through the self-assessment WorkShop™ was a great shared learning experience

and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm

“…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and

resources creating this spreadsheet, we would never complete our compliance program on time…” — Director, Quality Assurance & Regulatory Affairs