First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... ·...

© 2010-12 Clearwater Compliance LLC | All Rights Reserved

1

"Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets."

- Hippocratic Oath, 4th Century, B.C.E.

Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance

First HIPAA Policy & Procedures Author


How to Develop Your HIPAA-HITECH Policies

and Procedures

November 8, 2012

2

Bob Chaput, MA, CISSP, CIPP/US, CHP, CHSS, MCSE 615-656-4299 or 800-704-3394 [email protected] Clearwater Compliance LLC

http://www.linkedin.com/in/BobChaput




Bob Chaput, MA CISSP, CIPP/US, CHP, CHSS

3

• President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Legal

• Member: NMGMA, HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, Chambers, Boards


http://hipaasecurityassessment.com/




Our Passion

4

… And, keeping those same

organizations off the Wall of

Shame…!

…we’re helping

organizations

safeguard the very

personal and

private healthcare

information of

millions of fellow

Americans…

We’re excited about

what we do

because…


December 6, 2012 | Ft. Lauderdale, FL February 21, 2013 | Washington DC

March 21, 2013 | San Diego CA Clearwater HIPAA Audit Prep BootCamp™

Take Your

HIPAA

Compliance

Program to a

Better Place,

Faster

http://www.clearwatercompliance.com/bootcamp



6

Mary Chaput, MBA, CIPP/US

CFO & Chief Compliance Officer

Clearwater Compliance

Bob Chaput, CISSP, CIPP/US CHP, CHSS

CEO

Clearwater Compliance

Expert Instructors

James C. Pyles

Principal

Powers Pyles Sutter & Verville PC

David Andrews, CPA, MS, MA

SVP and Chief Compliance Officer

Hospice Compassus

http://clearwatercompliance.com/products-and-services/professional-services-and-consulting/clearwater-hipaa-audit-prep-bootcamp/bootcamp-instructors/




Poll #1 – Best Medium for You?

7


3. Complete a Privacy Rule compliance assessment (45 CFR §164.530)

4. Complete a Breach Rule compliance assessment (45 CFR §164.400)

5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))

6. Develop comprehensive HIPAA Privacy and Security

and Breach Notification Policies & Procedures (45 CFR §164.530,

45 CFR §164.316 and 45 CFR §164.414 )

7. Document and act upon a corrective action plan

7 Actions to Take Now

8

1. Privacy and Security Risk

Management & Governance

Program (45 CFR § 164.308(a)(1))

2. Complete a HIPAA Security

Evaluation (45 CFR § 164.308(a)(8))

Demonstrate Good Faith Effort!


1. Case for Action

2. Learn Explicit Requirements

3. Get Started With Practical, Actionable Next

Steps

Session Objectives

9


Mega Session Objective

Help You Understand

that Policies and

Procedures are a crucial

part of HIPAA and

HITECH compliance!...

And how to develop

them!

10


CAP Requirement MEEI CVS

Rite-Aid

BCBS TN

Mass General Hospital

Phoenix Cardiac Surgery

UCLA

AK DHSS

Establish a Comprehensive Information Security Program x

Designate an accountable Security Owner x x Develop and maintain privacy and security policies and procedures to comply with Federal standards x x x x x x x Distribute and update policies and procedures x x x x x x x Procedures to include responding to security incidents x x x x x x x Implement training with certifications and sanctions for non-compliance x x x x x x x

Conduct a Risk Analysis and a Risk Management Process x x x x x x x x Design and Implement Reasonable Administrative, Physical and Technical Safeguards to control risks x x x x x x x x Develop and use reasonable steps to select and retain service providers x Evaluate and adjust Security Program in light of testing and monitoring and material changes to the environment x x x x x x x x Obtain assessments from qualified objective independent 3rd party x x x x x x x x

Retain required documentation x x x x x x x x 11

OCR Corrective Action Plans


“The protocol should be a comprehensive

methodology, serving as a single source of audit

criteria, assessment methods, and procedures

for the conduct of the HIPAA privacy and security

compliance audits, reflecting the specific

requirements that apply to each of the three

types of covered entities; covered healthcare

providers, health plans and health care

clearinghouses.

KPMG Contract Language1

12 1Task Order: HHSP233201100252G

Contract: GS-3F-8127H Page 6 of 26

The protocol should assess whether such entities have, consistent with

these regulations, comprehensive policies and procedures to address

critical requirements to which the entity is subject and to determine whether

routine operations implement these policies and procedures

consistently with the Rules.

The audit protocol should provide for comprehensive assessment of

policies, procedures, practices, systems, operations and Infrastructure.”


Evaluation Audit Protocols

13

Audit Procedures Inquire of management as to whether policy and procedures exist to ensure an evaluation considers all

elements of the HIPAA Security Rule. Obtain and review policy and procedures used and evaluate the

content in relation to the specified criteria. Determine if the process has been approved and updated on

a periodic basis as required.

Established Performance

Criteria §164.308(a)(8) Evaluation - Perform a periodic

technical and nontechnical evaluation, based

initially upon the standards implemented under

this rule and subsequently, in response to

environmental or operational changes affecting

the security of electronic protected health

information, which establishes the extent to which

an entity's security policies and procedures meet

the requirements of this subpart.

Key Activity Develop Standards and Measurements for

Reviewing All Standards and Implementation

Specifications of the Security Rule

Audit Procedures 1. Inquire of management as to whether policy and

procedures exist to ensure an evaluation considers all

elements of the HIPAA Security Rule.

2. Obtain and review policy and procedures used and

evaluate the content in relation to the specified criteria.

3. Determine if the process has been approved and

updated on a periodic basis as required.



14

Audit Procedures Inquire of management as to whether policy and procedures exist to ensure all necessary information

needed to conduct an evaluation is obtained and documented in advance. Obtain and review the

evaluation process in place in relation to the specified criteria. Determine if the policy and procedures

have been approved and updated on a periodic basis.


Criteria §164.308(a)(8) Evaluation - Perform a periodic technical

and nontechnical evaluation, based initially upon the

standards implemented under this rule and subsequently, in

response to environmental or operational changes affecting

the security of electronic protected health information,

which establishes the extent to which an entity's security

policies and procedures meet the requirements of this

subpart.

Key Activity Conduct Evaluation

Audit Procedures 1. Inquire of management as to whether policy and

procedures exist to ensure all necessary information

needed to conduct an evaluation is obtained and

documented in advance.

2. Obtain and review the evaluation process in place in

relation to the specified criteria.

3. Determine if the policy and procedures have been

approved and updated on a periodic basis.



15

Audit Procedures Inquire of management as to whether formal or informal policy and procedures exist to document the

evaluation of findings, remediation options and recommendations, and remediation decisions. Obtain

and review formal or informal policy and procedures used to document the evaluation of findings,

remediation options and recommendations, and remediation decisions in relation to the specified

criteria. Determine if written reports of findings are reviewed and approved.


Criteria §164.308(a)(8) Evaluation - Perform a periodic

technical and nontechnical evaluation, based initially

upon the standards implemented under this rule and

subsequently, in response to environmental or

operational changes affecting the security of

electronic protected health information, which

establishes the extent to which an entity's security

policies and procedures meet the requirements of

this subpart.

Key Activity Document Results

Audit Procedures 1. Inquire of management as to whether formal or informal

policy and procedures exist to document the evaluation

of findings, remediation options and recommendations,

and remediation decisions.

2. Obtain and review formal or informal policy and

procedures used to document the evaluation of findings,

remediation options and recommendations, and

remediation decisions in relation to the specified criteria.

3. Determine if written reports of findings are reviewed and

approved.



16

Audit Procedures Inquire of management as to whether formal or informal policy and procedures exist to document the

evaluation of findings, remediation options and recommendations, and remediation decisions. Obtain

and review formal or informal policy and procedures used to document the evaluation of findings,

remediation options and recommendations, and remediation decisions in relation to the specified

criteria. Determine if written reports of findings are reviewed and approved.


Criteria §164.308(a)(8) Evaluation - Perform a periodic technical

and nontechnical evaluation, based initially upon the

standards implemented under this rule and subsequently, in

response to environmental or operational changes affecting

the security of electronic protected health information,

which establishes the extent to which an entity's security

policies and procedures meet the requirements of this

subpart.

Key Activity Repeat Evaluations Periodically

Audit Procedures 1. Inquire of management as to whether formal or informal

security policies and procedures specify that evaluations

will be repeated when environmental and operational

changes are made that affect the security of ePHI.

2. Obtain and review the entity's formal or informal security

policies and procedures and evaluate the content in

relation to the specified criteria to determine the process

for repeat evaluations.

3. Determine if formal or informal security policies and

procedures are reviewed on a periodic basis.


Key PnP Audit Items

17

1. Inquire of management as to

whether formal or informal

policy and procedures exist

2. Obtain and review formal or

informal policy and procedures

3. Evaluate the content in

relation to the specified

performance

4. Determine if the covered

entity's formal or informal

policy and procedures have

been approved and updated

on a periodic basis.


Poll #2 – Privacy PnPs?

18


Policies & Procedures Study • Majority of respondents admit to serious non-compliant

workplace behaviors that place their companies at risk.

• 69% of employees said that they copy confidential or

sensitive business information onto USB devices,

• 61% admitted to copying confidential or sensitive business

information onto USB devices, and then transferring the

information to another computer that is not part of the

corporate network.

• Over 50% said that they download personal Internet

software

• 58% said that their companies do not provide adequate

training about compliance with data security policies, and

about the same number said the data security policies are

ineffective.

• About 50% said their corporate data security policies are

largely ignored

• Compared with a similar study conducted by Ponemon

Institute in 2007, the rate of non-compliant employee

behavior appears to be getting worse over time. 19

Trends in Insider Compliance with

Data Security

Policies: Employees Evade

and Ignore Security

Policies is a survey of U.S.-based end-

users of corporate

information technologies. Results

were derived from

967 responses from a sampling frame of

17,021 (5.7%

response rate).


1. Case for Action



Steps

Session Objectives

20


Three Pillars of HIPAA-HITECH Compliance…

21

Pri

va

cy

Sec

uri

ty

Bre

ach

No

tifi

cati

on

… …

HITECH

HIPAA

Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation

Specs

Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 54 “dense”

Implementation Specs

Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation

Specs


Balanced Compliance Program

Policy defines an

organization’s values & expected behaviors; establishes “good faith” intent

People must include

talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues

Procedures or

process provide the actions required to deliver on

organization’s values

Technology includes the various families of technical security controls

including encryption, firewalls, antivirus, intrusion

detection, AND Incident management tools

Balanced

Compliance

Program

Today’s Focus: Policies and Procedures


Administrative Requirements

23

• Privacy & Security Official

• Policies & Procedures

• Training

• Safeguards

• Complaint Process

• Sanctions


45 C.F.R. §164.316(a)

Standard: Policies and Procedures. (a)

Implement reasonable and appropriate policies

and procedures to comply with the standards,

implementation specifications, or other

requirements of this subpart, taking into account

those factors specified in Sec. 164.306(b)(2)(i),

(ii), (iii), and (iv). This standard is not to be

construed to permit or excuse an action that

violates any other standard, implementation

specification, or other requirements of this

subpart. A covered entity may change its policies

and procedures at any time, provided that the

changes are documented and are implemented

in accordance with this subpart. 24

It’s Federal Regulation - Security


45 C.F.R. §164.316(b)(1)

Standard: Documentation. (i) Maintain the policies and procedures implemented to

comply with this subpart in written (which may be

electronic) form; and

(ii) If an action, activity or assessment is required by this

subpart to be documented, maintain a written (which may

be electronic) record of the action, activity, or assessment.

(2) Implementation specifications: (i) Time limit (Required). Retain the documentation required by

paragraph (b)(1) of this section for 6 years from the date of its

creation or the date when it last was in effect, whichever is later.

(ii) Availability (Required). Make documentation available to those

persons responsible for implementing the procedures to which the

documentation pertains.

(iii) Updates (Required). Review documentation periodically, and

update as needed, in response to environmental or operational

changes affecting the security of the electronic protected health

information.

25

It’s Federal Regulation - Security


45 C.F.R. §164.500(i) (1) Standard: Policies and Procedures.

A covered entity must implement policies and procedures with

respect to protected health information that are designed to

comply with the standards, implementation specifications, or other

requirements of this subpart and subpart D of this part. The

policies and procedures must be reasonably designed, taking into

account the size and the type of activities that relate to protected

health information undertaken by a covered entity, to ensure such

compliance. This standard is not to be construed to permit or

excuse an action that violates any other standard, implementation

specification, or other requirement of this subpart.

(2) Standard: Changes to policies and procedures.

(i) A covered entity must change its policies and procedures as

necessary and appropriate to comply with changes in the law,

including the standards, requirements, and implementation

specifications of this subpart or subpart D of this part.

etc… 26

It’s Federal Regulation - Privacy


45 C.F.R. §164.414 Administrative requirements and burden of proof.

Administrative requirements. A covered entity is

required to comply with the administrative requirements

of §164.530(b), (d), (e), (g), (h), (i), and (j) with

respect to the requirements of this subpart.*

27

It’s Federal Regulation - Breach


Forget the law… why PnPs?

28

1. Articulate your values and

behavior as an organization

2. Set the stage for needed

tools, processes and defense

3. Key components of a

Balanced Security Program


Poll #3 – Security PnPs?

29


1. Case for Action



Steps

Session Objectives

30


Policies & Procedures Basic Construction

• Policy #

• Policy Title

• Approved by and date

• Revision Dates

• Purpose –describe why and/or when

• Regulatory Reference

• Overarching Policy

• Who must comply

• Sanctions for non-compliance

• Definitions

• Cross-referenced other Policies and Procedures or SOPs

• Detailed Procedures

• Documentation Requirements

• Tie them to the Regulatory Authority 31

1. Who is covered?

2. What is covered?

3. What’s required or prohibited?

4. Who enforces?

5. What happens if I don't comply?

6. Why does this PnP exist?


32


33


34


35


36


37

1 Privacy Office Assignment and Responsibilities

2 Privacy Training Requirements

3 Minimum Necessary Uses, Disclosures and Requests

4 Reporting Violations, Sanctions and Mitigation

5 Required Disclosures

6 Request for Health Record

7 Amendment of Health Information

8 Accounting of Disclosures

9 Authorization to Use or Disclose PHI

10 Uses By and Disclosures to Subcontractors and Third Parties

11 De-Identification of Health Information

12 Uses and Disclosures of Limited Data Sets

13 Requests for Restrictions on Uses and Disclosures

14 Requests for Confidential Information

15 Reporting Impermissible Uses and Disclosures

16 Reporting and Responding to Privacy Complaints

17 No Retaliation or Waiver

18 Data Safeguards

19 Authorized Disclosures

20 Personal Representatives

21 Disclosures to Family, Caregivers and Friends

23 Disclosures to Program Participants with Mental Incapacities

24 Communications with Minor Program Participants

25 Permission to Leave Messages with PHI

26 Uses and Disclosures for Treatment Purposes

27 Uses and Disclosures for Health Care Operations

28 Uses and Disclosures for Marketing

29 Uses and Disclosures of Limited Data Sets

30 Uses and Disclosures for Court Orders

31 Uses and Disclosures Required by Law

32 Uses and Disclosures for Law Enforcement

33 Urgent Situations

34 Emergent Situations

35 Disclosure for Suspected or Confirmed Abuse, Domestic Violence

36 De-Identification of Health Information

37 Compliance for Site Tours

38 Obligation to Protect Colleague health Information

39 Verification of Identity Prior to Disclosure

Cross-Walk your Policies & Procedures to the Regulations


38

Systematic, Sustainable Programmatic Approach:

Reenergize and operationalize your HIPAA-HITECH Compliance Program

…

Must Operationalize Compliance

Develop /

Revise

PnPs

Implement &

Train

Remediate

Audit

Practice to

PnPs


Poll #4 – Breach Notification PnPs?

39


11 Steps to Develop HIPAA Policies and Procedures

40

1. Form a Cross-Functional Policy

Development Task Force

2. Set Business Risk Management Goals

3. Get Educated – Learn the Regulatory

Requirements / and the Consequences

4. Design your Outline / Standard Template

5. Determine Specific Policies That Are Required

6. Evaluate Alternatives: “Build vs. Buy”

7. Create a Project Plan for Development / Divide and Conquer

8. Build a Change Management / Communications Subproject

9. Create Review-Revise-Approve-Communication Process

10.Integrate into Colleague On-Boarding and Ongoing Training

11.Establish Maintenance Process to Stay Current


Essential Elements of Good

Policies & Procedures

41


How Our HIPAA-HITECH Policy and Procedure Templates Were Designed

42

1. Detailed readings of the HIPAA

Privacy, Security and HITECH

Breach Rules

2. Cross-Referencing of HIPAA Security

Final Rule and NIST SP 800-66

3. Assured traceability back to

Standards in 45 CFR 164 Subpart C,

D and E

4. Empowered you to edit, combine and

tailor


Contents of the HIPAA Security Policy and Procedure ToolKit™

Enterprise Edition - $1,987.00

43

1. Fifty-seven (57) comprehensive HIPAA

Security Policies and Procedures templates

2. Complete traceability to HIPAA Security Final

Rule

3. Comprehensive HIPAA Security & Privacy

Glossary of Terms

4. 60 minutes of complimentary email,

telephone or web-meeting support

5. And, more…

Comprehensive HIPAA-HITECH Security

Policy and Procedure template set (plus:

Instructions, Glossary of Terms, Policies Checklist,

Resources & References)

http://clearwatercompliance.com/hipaa-compliance-software/hipaa-security-policy-template-toolkit/


Policies and Procedures for… Administrative Safeguards

44


Policies for… Physical Safeguards

45


Policies and Procedures for… Technical Safeguards, Policies and Procedures and Documentation

46

Total: 53 Core Policies and Procedures


Additional Policies and Procedures for…

47

Total: 4 Additional Policies and Procedures



SMB Edition - $987.00

48

1. Nine (9) comprehensive HIPAA Security

Policies and Procedures templates

2. Complete traceability to HIPAA Security Final

Rule

3. Comprehensive HIPAA Security & Privacy

Glossary of Terms

4. 60 minutes of complimentary email,

telephone or web-meeting support

5. And, more…

Comprehensive HIPAA-HITECH Security

Policy and Procedure template set (plus:

Instructions, Glossary of Terms, Policies Checklist,

Resources & References)




SMB Edition - $987.00

49

1. Security Management Process

2. Workforce Security

3. Security Awareness & Training

4. Facility Security

5. Workstation, Server and Device Security

6. Maintaining Confidentiality of ePHI

7. Maintaining Integrity of ePHI

8. Maintaining Availability of ePHI

9. Business Associate Contracts and Other

Arrangements

53 PnPs

9



SMB Edition - HIPAA Security Policy and Procedure ToolKit™ EXAMPLE

50

1. Security Management Process

6. Assigned Security Responsibility

0. Security & Privacy Risk

Management Council

52. Policies and Procedures

53. Documentation

28. Evaluation

2. Risk Analysis

3. Risk Management

5. Information System Activity

Review

20. Security Incident Procedures

21. Response and Reporting

1. Security Management

Process



High Value – High Impact

I. PREPARATION A. Plan / Gather B. Read Ahead C. Review Materials

II. ONSITE WORKSHOP A. Facilitate B. Educate C. Develop

III. FOLLOW UP SUPPORT A. Review B. Revise C. Recommend

51

N Days

HIPAA-HITECH Policies & Procedures Development WorkShop™


52

Clearwater HIPAA Privacy Policy and Procedure Offerings

HIPAA Privacy and Breach Notification Policies and

Procedures: Covered Entity $1,987.00

HIPAA Privacy Policies and Procedures: Business

Associate (B2B) $987.00

HIPAA Privacy Policies and Procedures: Business

Associate (B2C) $1,487.00

• HIPAA Privacy and Breach Notification Policies and Procedures ToolKit™ for Covered Entities

• One-Time, Single Business Unit License

• HIPAA Privacy Policies and Procedures ToolKit™ for those Business Associates that handle only data


• HIPAA Privacy Policies and Procedures ToolKit™ for those Business Associates that also interact with individuals


INCLUDES: • Forty-four (44) comprehensive HIPAA

Privacy and Breach Notification Policies and Procedures templates

• Complete traceability to HIPAA Privacy Final Rule and Breach Notification IFR

• Comprehensive HIPAA Security & Privacy Glossary of Terms

• 60 minutes of complimentary email, telephone or web-meeting support

INCLUDES: • Eighteen (18) comprehensive HIPAA

Privacy Policies and Procedures templates




INCLUDES: • Forty-two(42) comprehensive HIPAA

Privacy Policies and Procedures templates




• Free Updates • Free Updates • Free Updates

• Available Ongoing Support • Available Ongoing Support • Available Ongoing Support


53

Clearwater HIPAA Security Policy and Procedure Offerings

HIPAA Security Policies and Procedures: ENTERPRISE

$1,987.00

HIPAA Security Policies and Procedures: SMB

$987.00

HIPAA Security Policies and Procedures WorkShop™

Call for Pricing!

• HIPAA Security Policies and Procedures ToolKit™ One-Time, Single Business Unit License

• HIPAA Security Policies and Procedures ToolKit™ SMB Edition - One-Time, Single Business Unit License

• HIPAA Security Policies and Procedures WorkShop™

INCLUDES: • Fifty-seven (57) comprehensive

HIPAA Security Policies and Procedures templates

• Complete traceability to HIPAA Security Final Rule



INCLUDES: • Nine (9) comprehensive HIPAA

Security Policies and Procedures templates

• Complete traceability to HIPAA Security Final Rule



I. PREPARATION A. Plan / Gather B. Read Ahead C. Complete QuickScreen™

II. ONSITE ASSESSMENT A. Facilitate B. Educate C. Develop

III. FOLLOW UP SUPPORT A. Review B. Revise C. Recommend

• Free Updates • Free Updates • Free Updates

• Available Ongoing Support • Available Ongoing Support • Available Ongoing Support


Makes Decision to Move Forward A No-Brainer…

1. Save Thousands of Dollars in

Consulting Fees

2. Jump Start Development Project

3. Take Strategic High Road on Critical Risk Management Issue

Clear Return on Investment…

54

Peace of Mind

http://hipaasecurityassessment.com/hipaa-compliance-software/hipaa-hitech-security-assessment-toolkit/

© 2010-12 Clearwater Compliance LLC | All Rights Reserved 55

1. Huge Project; Get Started Now

Summary

2. Policies and Procedures are an

important part, but only part of a

balanced Security Program

3. Large or Small: Consider Getting

Help (Tools, Experts, etc)


Register Now! … at: http://abouthipaa.com/webinars/upc

oming-live-webinars/

56

Upcoming HIPAA HITECH Webinars

http://abouthipaa.com/webinars/upcoming-live-webinars/







Bob Chaput, CISSP, CIPP/US

http://www.ClearwaterCompliance.com [email protected]

Phone: 800-704-3394 or 615-656-4299

Clearwater Compliance LLC

57

Contact


http://www.clearwatercompliance.com/

mailto:[email protected]

http://www.linkedin.com/in/bobchaput

http://twitter.com/AboutHIPAA

http://abouthipaa.com/feed/rss/

http://www.vimeo.com/hipaahitechexpert

http://www.slideshare.net/rchaput


http://abouthipaali.org/


Additional Information

58


HIPAA OCR Audit Protocols

59

Mentions in Security Only

• “policy and procedures” – 27

• “policies and procedures” - 60

• “formal or informal” – 46


Additional Policies and Procedures for…

60

58.Acceptable Use Policy

59.Network Security Policy

60.Secure Application Development & Maintenance Policy

61.Database Security Policy

62.Remote Access Policy

63.Change Control Policy

64.Vulnerability Management Policy

65.Social Media Security Policy

66.Vendor Management (Security) Policy

67.Data Breach Notification Policy

Total: 4 Additional Policies and Procedures

Others: in our development pipeline


Policies & Procedures Other Requirements • Make them available and accessible to

workforce members

• Review them periodically for completeness

and accuracy

• Review and update them as needed

following a security incident or a change in

regulations or a change in operations

(including organizational changes)

• Ensure they are reviewed and approved

before implementation

• Communicate and train on changes within

30 days of approval

• Maintain versioning control

• Maintain all documentation

61


“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” – outside Legal Counsel, national research consortium

"The HIPAA Security Assessment ToolKit™ and WorkShop™ are a

comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization

What Our Customers Say…

62

“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization

“…the process of going through the self-assessment WorkShop™ was a great shared learning experience

and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm

“…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and

resources creating this spreadsheet, we would never complete our compliance program on time…” — Director, Quality Assurance & Regulatory Affairs

http://hipaasecurityassessment.com/hipaa-compliance-software/hipaa-hitech-security-assessment-toolkit/

First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... ·...

Documents

Transcript of First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... ·...