First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... ·...
Transcript of First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... ·...
![Page 1: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/1.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1
"Whatsoever things I see or hear concerning the life of men, in my attendance on the sick or even apart therefrom, which ought not to be noised abroad, I will keep silence thereon, counting such things to be as sacred as secrets."
- Hippocratic Oath, 4th Century, B.C.E.
Welcome to today’s Live Event… we will begin shortly… Please feel free to use “Chat” or “Q&A” to tell us any ‘burning’ questions you may have in advance
First HIPAA Policy & Procedures Author
![Page 2: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/2.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
How to Develop Your HIPAA-HITECH Policies
and Procedures
November 8, 2012
2
Bob Chaput, MA, CISSP, CIPP/US, CHP, CHSS, MCSE 615-656-4299 or 800-704-3394 [email protected] Clearwater Compliance LLC
![Page 3: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/3.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, MA CISSP, CIPP/US, CHP, CHSS
3
• President – Clearwater Compliance LLC • 30+ years in Business, Operations and Technology • 20+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Numerous Technical Certifications (MCSE, MCSA, etc) • Expertise and Focus: Healthcare, Financial Services, Legal
• Member: NMGMA, HIMSS, ISSA, HCCA, ACHE, AHIMA, NTC, ACP, Chambers, Boards
http://www.linkedin.com/in/BobChaput
![Page 4: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/4.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Our Passion
4
… And, keeping those same
organizations off the Wall of
Shame…!
…we’re helping
organizations
safeguard the very
personal and
private healthcare
information of
millions of fellow
Americans…
We’re excited about
what we do
because…
![Page 5: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/5.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
December 6, 2012 | Ft. Lauderdale, FL February 21, 2013 | Washington DC
March 21, 2013 | San Diego CA Clearwater HIPAA Audit Prep BootCamp™
Take Your
HIPAA
Compliance
Program to a
Better Place,
Faster
![Page 6: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/6.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
6
Mary Chaput, MBA, CIPP/US
CFO & Chief Compliance Officer
Clearwater Compliance
Bob Chaput, CISSP, CIPP/US CHP, CHSS
CEO
Clearwater Compliance
Expert Instructors
James C. Pyles
Principal
Powers Pyles Sutter & Verville PC
David Andrews, CPA, MS, MA
SVP and Chief Compliance Officer
Hospice Compassus
![Page 7: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/7.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Poll #1 – Best Medium for You?
7
![Page 8: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/8.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
3. Complete a Privacy Rule compliance assessment (45 CFR §164.530)
4. Complete a Breach Rule compliance assessment (45 CFR §164.400)
5. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
6. Develop comprehensive HIPAA Privacy and Security
and Breach Notification Policies & Procedures (45 CFR §164.530,
45 CFR §164.316 and 45 CFR §164.414 )
7. Document and act upon a corrective action plan
7 Actions to Take Now
8
1. Privacy and Security Risk
Management & Governance
Program (45 CFR § 164.308(a)(1))
2. Complete a HIPAA Security
Evaluation (45 CFR § 164.308(a)(8))
Demonstrate Good Faith Effort!
![Page 9: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/9.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. Case for Action
2. Learn Explicit Requirements
3. Get Started With Practical, Actionable Next
Steps
Session Objectives
9
![Page 10: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/10.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Mega Session Objective
Help You Understand
that Policies and
Procedures are a crucial
part of HIPAA and
HITECH compliance!...
And how to develop
them!
10
![Page 11: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/11.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
CAP Requirement MEEI CVS
Rite-Aid
BCBS TN
Mass General Hospital
Phoenix Cardiac Surgery
UCLA
AK DHSS
Establish a Comprehensive Information Security Program x
Designate an accountable Security Owner x x Develop and maintain privacy and security policies and procedures to comply with Federal standards x x x x x x x Distribute and update policies and procedures x x x x x x x Procedures to include responding to security incidents x x x x x x x Implement training with certifications and sanctions for non-compliance x x x x x x x
Conduct a Risk Analysis and a Risk Management Process x x x x x x x x Design and Implement Reasonable Administrative, Physical and Technical Safeguards to control risks x x x x x x x x Develop and use reasonable steps to select and retain service providers x Evaluate and adjust Security Program in light of testing and monitoring and material changes to the environment x x x x x x x x Obtain assessments from qualified objective independent 3rd party x x x x x x x x
Retain required documentation x x x x x x x x 11
OCR Corrective Action Plans
![Page 12: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/12.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
“The protocol should be a comprehensive
methodology, serving as a single source of audit
criteria, assessment methods, and procedures
for the conduct of the HIPAA privacy and security
compliance audits, reflecting the specific
requirements that apply to each of the three
types of covered entities; covered healthcare
providers, health plans and health care
clearinghouses.
KPMG Contract Language1
12 1Task Order: HHSP233201100252G
Contract: GS-3F-8127H Page 6 of 26
The protocol should assess whether such entities have, consistent with
these regulations, comprehensive policies and procedures to address
critical requirements to which the entity is subject and to determine whether
routine operations implement these policies and procedures
consistently with the Rules.
The audit protocol should provide for comprehensive assessment of
policies, procedures, practices, systems, operations and Infrastructure.”
![Page 13: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/13.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Evaluation Audit Protocols
13
Audit Procedures Inquire of management as to whether policy and procedures exist to ensure an evaluation considers all
elements of the HIPAA Security Rule. Obtain and review policy and procedures used and evaluate the
content in relation to the specified criteria. Determine if the process has been approved and updated on
a periodic basis as required.
Established Performance
Criteria §164.308(a)(8) Evaluation - Perform a periodic
technical and nontechnical evaluation, based
initially upon the standards implemented under
this rule and subsequently, in response to
environmental or operational changes affecting
the security of electronic protected health
information, which establishes the extent to which
an entity's security policies and procedures meet
the requirements of this subpart.
Key Activity Develop Standards and Measurements for
Reviewing All Standards and Implementation
Specifications of the Security Rule
Audit Procedures 1. Inquire of management as to whether policy and
procedures exist to ensure an evaluation considers all
elements of the HIPAA Security Rule.
2. Obtain and review policy and procedures used and
evaluate the content in relation to the specified criteria.
3. Determine if the process has been approved and
updated on a periodic basis as required.
![Page 14: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/14.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Evaluation Audit Protocols
14
Audit Procedures Inquire of management as to whether policy and procedures exist to ensure all necessary information
needed to conduct an evaluation is obtained and documented in advance. Obtain and review the
evaluation process in place in relation to the specified criteria. Determine if the policy and procedures
have been approved and updated on a periodic basis.
Established Performance
Criteria §164.308(a)(8) Evaluation - Perform a periodic technical
and nontechnical evaluation, based initially upon the
standards implemented under this rule and subsequently, in
response to environmental or operational changes affecting
the security of electronic protected health information,
which establishes the extent to which an entity's security
policies and procedures meet the requirements of this
subpart.
Key Activity Conduct Evaluation
Audit Procedures 1. Inquire of management as to whether policy and
procedures exist to ensure all necessary information
needed to conduct an evaluation is obtained and
documented in advance.
2. Obtain and review the evaluation process in place in
relation to the specified criteria.
3. Determine if the policy and procedures have been
approved and updated on a periodic basis.
![Page 15: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/15.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Evaluation Audit Protocols
15
Audit Procedures Inquire of management as to whether formal or informal policy and procedures exist to document the
evaluation of findings, remediation options and recommendations, and remediation decisions. Obtain
and review formal or informal policy and procedures used to document the evaluation of findings,
remediation options and recommendations, and remediation decisions in relation to the specified
criteria. Determine if written reports of findings are reviewed and approved.
Established Performance
Criteria §164.308(a)(8) Evaluation - Perform a periodic
technical and nontechnical evaluation, based initially
upon the standards implemented under this rule and
subsequently, in response to environmental or
operational changes affecting the security of
electronic protected health information, which
establishes the extent to which an entity's security
policies and procedures meet the requirements of
this subpart.
Key Activity Document Results
Audit Procedures 1. Inquire of management as to whether formal or informal
policy and procedures exist to document the evaluation
of findings, remediation options and recommendations,
and remediation decisions.
2. Obtain and review formal or informal policy and
procedures used to document the evaluation of findings,
remediation options and recommendations, and
remediation decisions in relation to the specified criteria.
3. Determine if written reports of findings are reviewed and
approved.
![Page 16: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/16.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Evaluation Audit Protocols
16
Audit Procedures Inquire of management as to whether formal or informal policy and procedures exist to document the
evaluation of findings, remediation options and recommendations, and remediation decisions. Obtain
and review formal or informal policy and procedures used to document the evaluation of findings,
remediation options and recommendations, and remediation decisions in relation to the specified
criteria. Determine if written reports of findings are reviewed and approved.
Established Performance
Criteria §164.308(a)(8) Evaluation - Perform a periodic technical
and nontechnical evaluation, based initially upon the
standards implemented under this rule and subsequently, in
response to environmental or operational changes affecting
the security of electronic protected health information,
which establishes the extent to which an entity's security
policies and procedures meet the requirements of this
subpart.
Key Activity Repeat Evaluations Periodically
Audit Procedures 1. Inquire of management as to whether formal or informal
security policies and procedures specify that evaluations
will be repeated when environmental and operational
changes are made that affect the security of ePHI.
2. Obtain and review the entity's formal or informal security
policies and procedures and evaluate the content in
relation to the specified criteria to determine the process
for repeat evaluations.
3. Determine if formal or informal security policies and
procedures are reviewed on a periodic basis.
![Page 17: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/17.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Key PnP Audit Items
17
1. Inquire of management as to
whether formal or informal
policy and procedures exist
2. Obtain and review formal or
informal policy and procedures
3. Evaluate the content in
relation to the specified
performance
4. Determine if the covered
entity's formal or informal
policy and procedures have
been approved and updated
on a periodic basis.
![Page 18: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/18.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Poll #2 – Privacy PnPs?
18
![Page 19: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/19.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Policies & Procedures Study • Majority of respondents admit to serious non-compliant
workplace behaviors that place their companies at risk.
• 69% of employees said that they copy confidential or
sensitive business information onto USB devices,
• 61% admitted to copying confidential or sensitive business
information onto USB devices, and then transferring the
information to another computer that is not part of the
corporate network.
• Over 50% said that they download personal Internet
software
• 58% said that their companies do not provide adequate
training about compliance with data security policies, and
about the same number said the data security policies are
ineffective.
• About 50% said their corporate data security policies are
largely ignored
• Compared with a similar study conducted by Ponemon
Institute in 2007, the rate of non-compliant employee
behavior appears to be getting worse over time. 19
Trends in Insider Compliance with
Data Security
Policies: Employees Evade
and Ignore Security
Policies is a survey of U.S.-based end-
users of corporate
information technologies. Results
were derived from
967 responses from a sampling frame of
17,021 (5.7%
response rate).
![Page 20: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/20.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. Case for Action
2. Learn Explicit Requirements
3. Get Started With Practical, Actionable Next
Steps
Session Objectives
20
![Page 21: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/21.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Three Pillars of HIPAA-HITECH Compliance…
21
Pri
va
cy
Sec
uri
ty
Bre
ach
No
tifi
cati
on
… …
HITECH
HIPAA
Breach Notification IFR • 6 pages / 2K words • 4 Standards • 9 Implementation
Specs
Privacy Final Rule • 75 pages / 27K words • 56 Standards • ~ 54 “dense”
Implementation Specs
Security Final Rule • 18 pages / 4.5K words • 22 Standards • ~50 Implementation
Specs
![Page 22: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/22.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Balanced Compliance Program
Policy defines an
organization’s values & expected behaviors; establishes “good faith” intent
People must include
talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues
Procedures or
process provide the actions required to deliver on
organization’s values
Technology includes the various families of technical security controls
including encryption, firewalls, antivirus, intrusion
detection, AND Incident management tools
Balanced
Compliance
Program
Today’s Focus: Policies and Procedures
![Page 23: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/23.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Administrative Requirements
23
• Privacy & Security Official
• Policies & Procedures
• Training
• Safeguards
• Complaint Process
• Sanctions
![Page 24: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/24.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
45 C.F.R. §164.316(a)
Standard: Policies and Procedures. (a)
Implement reasonable and appropriate policies
and procedures to comply with the standards,
implementation specifications, or other
requirements of this subpart, taking into account
those factors specified in Sec. 164.306(b)(2)(i),
(ii), (iii), and (iv). This standard is not to be
construed to permit or excuse an action that
violates any other standard, implementation
specification, or other requirements of this
subpart. A covered entity may change its policies
and procedures at any time, provided that the
changes are documented and are implemented
in accordance with this subpart. 24
It’s Federal Regulation - Security
![Page 25: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/25.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
45 C.F.R. §164.316(b)(1)
Standard: Documentation. (i) Maintain the policies and procedures implemented to
comply with this subpart in written (which may be
electronic) form; and
(ii) If an action, activity or assessment is required by this
subpart to be documented, maintain a written (which may
be electronic) record of the action, activity, or assessment.
(2) Implementation specifications: (i) Time limit (Required). Retain the documentation required by
paragraph (b)(1) of this section for 6 years from the date of its
creation or the date when it last was in effect, whichever is later.
(ii) Availability (Required). Make documentation available to those
persons responsible for implementing the procedures to which the
documentation pertains.
(iii) Updates (Required). Review documentation periodically, and
update as needed, in response to environmental or operational
changes affecting the security of the electronic protected health
information.
25
It’s Federal Regulation - Security
![Page 26: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/26.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
45 C.F.R. §164.500(i) (1) Standard: Policies and Procedures.
A covered entity must implement policies and procedures with
respect to protected health information that are designed to
comply with the standards, implementation specifications, or other
requirements of this subpart and subpart D of this part. The
policies and procedures must be reasonably designed, taking into
account the size and the type of activities that relate to protected
health information undertaken by a covered entity, to ensure such
compliance. This standard is not to be construed to permit or
excuse an action that violates any other standard, implementation
specification, or other requirement of this subpart.
(2) Standard: Changes to policies and procedures.
(i) A covered entity must change its policies and procedures as
necessary and appropriate to comply with changes in the law,
including the standards, requirements, and implementation
specifications of this subpart or subpart D of this part.
etc… 26
It’s Federal Regulation - Privacy
![Page 27: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/27.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
45 C.F.R. §164.414 Administrative requirements and burden of proof.
Administrative requirements. A covered entity is
required to comply with the administrative requirements
of §164.530(b), (d), (e), (g), (h), (i), and (j) with
respect to the requirements of this subpart.*
27
It’s Federal Regulation - Breach
![Page 28: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/28.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Forget the law… why PnPs?
28
1. Articulate your values and
behavior as an organization
2. Set the stage for needed
tools, processes and defense
3. Key components of a
Balanced Security Program
![Page 29: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/29.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Poll #3 – Security PnPs?
29
![Page 30: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/30.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
1. Case for Action
2. Learn Explicit Requirements
3. Get Started With Practical, Actionable Next
Steps
Session Objectives
30
![Page 31: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/31.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Policies & Procedures Basic Construction
• Policy #
• Policy Title
• Approved by and date
• Revision Dates
• Purpose –describe why and/or when
• Regulatory Reference
• Overarching Policy
• Who must comply
• Sanctions for non-compliance
• Definitions
• Cross-referenced other Policies and Procedures or SOPs
• Detailed Procedures
• Documentation Requirements
• Tie them to the Regulatory Authority 31
1. Who is covered?
2. What is covered?
3. What’s required or prohibited?
4. Who enforces?
5. What happens if I don't comply?
6. Why does this PnP exist?
![Page 32: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/32.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
32
![Page 33: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/33.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
33
![Page 34: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/34.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
34
![Page 35: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/35.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
35
![Page 36: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/36.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
36
![Page 37: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/37.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
37
1 Privacy Office Assignment and Responsibilities
2 Privacy Training Requirements
3 Minimum Necessary Uses, Disclosures and Requests
4 Reporting Violations, Sanctions and Mitigation
5 Required Disclosures
6 Request for Health Record
7 Amendment of Health Information
8 Accounting of Disclosures
9 Authorization to Use or Disclose PHI
10 Uses By and Disclosures to Subcontractors and Third Parties
11 De-Identification of Health Information
12 Uses and Disclosures of Limited Data Sets
13 Requests for Restrictions on Uses and Disclosures
14 Requests for Confidential Information
15 Reporting Impermissible Uses and Disclosures
16 Reporting and Responding to Privacy Complaints
17 No Retaliation or Waiver
18 Data Safeguards
19 Authorized Disclosures
20 Personal Representatives
21 Disclosures to Family, Caregivers and Friends
23 Disclosures to Program Participants with Mental Incapacities
24 Communications with Minor Program Participants
25 Permission to Leave Messages with PHI
26 Uses and Disclosures for Treatment Purposes
27 Uses and Disclosures for Health Care Operations
28 Uses and Disclosures for Marketing
29 Uses and Disclosures of Limited Data Sets
30 Uses and Disclosures for Court Orders
31 Uses and Disclosures Required by Law
32 Uses and Disclosures for Law Enforcement
33 Urgent Situations
34 Emergent Situations
35 Disclosure for Suspected or Confirmed Abuse, Domestic Violence
36 De-Identification of Health Information
37 Compliance for Site Tours
38 Obligation to Protect Colleague health Information
39 Verification of Identity Prior to Disclosure
Cross-Walk your Policies & Procedures to the Regulations
![Page 38: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/38.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
38
Systematic, Sustainable Programmatic Approach:
Reenergize and operationalize your HIPAA-HITECH Compliance Program
…
Must Operationalize Compliance
Develop /
Revise
PnPs
Implement &
Train
Remediate
Audit
Practice to
PnPs
![Page 39: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/39.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Poll #4 – Breach Notification PnPs?
39
![Page 40: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/40.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
11 Steps to Develop HIPAA Policies and Procedures
40
1. Form a Cross-Functional Policy
Development Task Force
2. Set Business Risk Management Goals
3. Get Educated – Learn the Regulatory
Requirements / and the Consequences
4. Design your Outline / Standard Template
5. Determine Specific Policies That Are Required
6. Evaluate Alternatives: “Build vs. Buy”
7. Create a Project Plan for Development / Divide and Conquer
8. Build a Change Management / Communications Subproject
9. Create Review-Revise-Approve-Communication Process
10.Integrate into Colleague On-Boarding and Ongoing Training
11.Establish Maintenance Process to Stay Current
![Page 41: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/41.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Essential Elements of Good
Policies & Procedures
41
![Page 42: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/42.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
How Our HIPAA-HITECH Policy and Procedure Templates Were Designed
42
1. Detailed readings of the HIPAA
Privacy, Security and HITECH
Breach Rules
2. Cross-Referencing of HIPAA Security
Final Rule and NIST SP 800-66
3. Assured traceability back to
Standards in 45 CFR 164 Subpart C,
D and E
4. Empowered you to edit, combine and
tailor
![Page 43: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/43.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Contents of the HIPAA Security Policy and Procedure ToolKit™
Enterprise Edition - $1,987.00
43
1. Fifty-seven (57) comprehensive HIPAA
Security Policies and Procedures templates
2. Complete traceability to HIPAA Security Final
Rule
3. Comprehensive HIPAA Security & Privacy
Glossary of Terms
4. 60 minutes of complimentary email,
telephone or web-meeting support
5. And, more…
Comprehensive HIPAA-HITECH Security
Policy and Procedure template set (plus:
Instructions, Glossary of Terms, Policies Checklist,
Resources & References)
![Page 44: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/44.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Policies and Procedures for… Administrative Safeguards
44
![Page 45: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/45.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Policies for… Physical Safeguards
45
![Page 46: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/46.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Policies and Procedures for… Technical Safeguards, Policies and Procedures and Documentation
46
Total: 53 Core Policies and Procedures
![Page 47: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/47.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Additional Policies and Procedures for…
47
Total: 4 Additional Policies and Procedures
![Page 48: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/48.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Contents of the HIPAA Security Policy and Procedure ToolKit™
SMB Edition - $987.00
48
1. Nine (9) comprehensive HIPAA Security
Policies and Procedures templates
2. Complete traceability to HIPAA Security Final
Rule
3. Comprehensive HIPAA Security & Privacy
Glossary of Terms
4. 60 minutes of complimentary email,
telephone or web-meeting support
5. And, more…
Comprehensive HIPAA-HITECH Security
Policy and Procedure template set (plus:
Instructions, Glossary of Terms, Policies Checklist,
Resources & References)
![Page 49: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/49.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Contents of the HIPAA Security Policy and Procedure ToolKit™
SMB Edition - $987.00
49
1. Security Management Process
2. Workforce Security
3. Security Awareness & Training
4. Facility Security
5. Workstation, Server and Device Security
6. Maintaining Confidentiality of ePHI
7. Maintaining Integrity of ePHI
8. Maintaining Availability of ePHI
9. Business Associate Contracts and Other
Arrangements
53 PnPs
9
![Page 50: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/50.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
SMB Edition - HIPAA Security Policy and Procedure ToolKit™ EXAMPLE
50
1. Security Management Process
6. Assigned Security Responsibility
0. Security & Privacy Risk
Management Council
52. Policies and Procedures
53. Documentation
28. Evaluation
2. Risk Analysis
3. Risk Management
5. Information System Activity
Review
20. Security Incident Procedures
21. Response and Reporting
1. Security Management
Process
![Page 51: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/51.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
High Value – High Impact
I. PREPARATION A. Plan / Gather B. Read Ahead C. Review Materials
II. ONSITE WORKSHOP A. Facilitate B. Educate C. Develop
III. FOLLOW UP SUPPORT A. Review B. Revise C. Recommend
51
N Days
HIPAA-HITECH Policies & Procedures Development WorkShop™
![Page 52: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/52.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
52
Clearwater HIPAA Privacy Policy and Procedure Offerings
HIPAA Privacy and Breach Notification Policies and
Procedures: Covered Entity $1,987.00
HIPAA Privacy Policies and Procedures: Business
Associate (B2B) $987.00
HIPAA Privacy Policies and Procedures: Business
Associate (B2C) $1,487.00
• HIPAA Privacy and Breach Notification Policies and Procedures ToolKit™ for Covered Entities
• One-Time, Single Business Unit License
• HIPAA Privacy Policies and Procedures ToolKit™ for those Business Associates that handle only data
• One-Time, Single Business Unit License
• HIPAA Privacy Policies and Procedures ToolKit™ for those Business Associates that also interact with individuals
• One-Time, Single Business Unit License
INCLUDES: • Forty-four (44) comprehensive HIPAA
Privacy and Breach Notification Policies and Procedures templates
• Complete traceability to HIPAA Privacy Final Rule and Breach Notification IFR
• Comprehensive HIPAA Security & Privacy Glossary of Terms
• 60 minutes of complimentary email, telephone or web-meeting support
INCLUDES: • Eighteen (18) comprehensive HIPAA
Privacy Policies and Procedures templates
• Complete traceability to HIPAA Privacy Final Rule and Breach Notification IFR
• Comprehensive HIPAA Security & Privacy Glossary of Terms
• 60 minutes of complimentary email, telephone or web-meeting support
INCLUDES: • Forty-two(42) comprehensive HIPAA
Privacy Policies and Procedures templates
• Complete traceability to HIPAA Privacy Final Rule and Breach Notification IFR
• Comprehensive HIPAA Security & Privacy Glossary of Terms
• 60 minutes of complimentary email, telephone or web-meeting support
• Free Updates • Free Updates • Free Updates
• Available Ongoing Support • Available Ongoing Support • Available Ongoing Support
![Page 53: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/53.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
53
Clearwater HIPAA Security Policy and Procedure Offerings
HIPAA Security Policies and Procedures: ENTERPRISE
$1,987.00
HIPAA Security Policies and Procedures: SMB
$987.00
HIPAA Security Policies and Procedures WorkShop™
Call for Pricing!
• HIPAA Security Policies and Procedures ToolKit™ One-Time, Single Business Unit License
• HIPAA Security Policies and Procedures ToolKit™ SMB Edition - One-Time, Single Business Unit License
• HIPAA Security Policies and Procedures WorkShop™
INCLUDES: • Fifty-seven (57) comprehensive
HIPAA Security Policies and Procedures templates
• Complete traceability to HIPAA Security Final Rule
• Comprehensive HIPAA Security & Privacy Glossary of Terms
• 60 minutes of complimentary email, telephone or web-meeting support
INCLUDES: • Nine (9) comprehensive HIPAA
Security Policies and Procedures templates
• Complete traceability to HIPAA Security Final Rule
• Comprehensive HIPAA Security & Privacy Glossary of Terms
• 60 minutes of complimentary email, telephone or web-meeting support
I. PREPARATION A. Plan / Gather B. Read Ahead C. Complete QuickScreen™
II. ONSITE ASSESSMENT A. Facilitate B. Educate C. Develop
III. FOLLOW UP SUPPORT A. Review B. Revise C. Recommend
• Free Updates • Free Updates • Free Updates
• Available Ongoing Support • Available Ongoing Support • Available Ongoing Support
![Page 54: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/54.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Makes Decision to Move Forward A No-Brainer…
1. Save Thousands of Dollars in
Consulting Fees
2. Jump Start Development Project
3. Take Strategic High Road on Critical Risk Management Issue
Clear Return on Investment…
54
Peace of Mind
![Page 55: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/55.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved 55
1. Huge Project; Get Started Now
Summary
2. Policies and Procedures are an
important part, but only part of a
balanced Security Program
3. Large or Small: Consider Getting
Help (Tools, Experts, etc)
![Page 56: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/56.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Register Now! … at: http://abouthipaa.com/webinars/upc
oming-live-webinars/
56
Upcoming HIPAA HITECH Webinars
![Page 57: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/57.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP, CIPP/US
http://www.ClearwaterCompliance.com [email protected]
Phone: 800-704-3394 or 615-656-4299
Clearwater Compliance LLC
57
Contact
![Page 58: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/58.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Additional Information
58
![Page 59: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/59.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
HIPAA OCR Audit Protocols
59
Mentions in Security Only
• “policy and procedures” – 27
• “policies and procedures” - 60
• “formal or informal” – 46
![Page 60: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/60.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Additional Policies and Procedures for…
60
58.Acceptable Use Policy
59.Network Security Policy
60.Secure Application Development & Maintenance Policy
61.Database Security Policy
62.Remote Access Policy
63.Change Control Policy
64.Vulnerability Management Policy
65.Social Media Security Policy
66.Vendor Management (Security) Policy
67.Data Breach Notification Policy
Total: 4 Additional Policies and Procedures
Others: in our development pipeline
![Page 61: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/61.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
Policies & Procedures Other Requirements • Make them available and accessible to
workforce members
• Review them periodically for completeness
and accuracy
• Review and update them as needed
following a security incident or a change in
regulations or a change in operations
(including organizational changes)
• Ensure they are reviewed and approved
before implementation
• Communicate and train on changes within
30 days of approval
• Maintain versioning control
• Maintain all documentation
61
![Page 62: First HIPAA Policy & Procedures Authorclearwatercompliance.com/wp-content/uploads/2012-11-08... · 2012-11-08 · February 21, 2013 | Washington DC March 21, 2013 | San Diego CA ...](https://reader033.fdocuments.in/reader033/viewer/2022050606/5fadaf7504bc6c0c66293bce/html5/thumbnails/62.jpg)
© 2010-12 Clearwater Compliance LLC | All Rights Reserved
“The WorkShop™ process made a very complicated process and subject matter simple. The ToolKit™ itself was excellent and precipitated exactly the right discussion we needed to have.” – outside Legal Counsel, national research consortium
"The HIPAA Security Assessment ToolKit™ and WorkShop™ are a
comprehensive approach that effectively guided our organization’s performance against HIPAA-HITECH Security requirements.” -- SVP and Chief Compliance, national hospice organization
What Our Customers Say…
62
“… The WorkShop™ process expedited assessment of gaps in our HIPAA Security Compliance program, began to address risk mitigation tasks within a matter of days and… the ‘ToolKit’ was a sound investment for the company, and I can't think of a better framework upon which to launch compliance efforts.” – VP & CIO, national care management organization
“…the process of going through the self-assessment WorkShop™ was a great shared learning experience
and teambuilding exercise. In retrospect, I can't think of a better or more efficient way to get started than to use the HIPAA Security Assessment ToolKit.“ – CIO, national kidney dialysis center firm
“…this HIPAA Security Assessment Toolkit is worth its weight in gold. If we had to spend our time and
resources creating this spreadsheet, we would never complete our compliance program on time…” — Director, Quality Assurance & Regulatory Affairs