Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Transcription

1 Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices Notice of Privacy Practices Uses and disclosures consistent with Notice of Privacy Practices Health plans are required to develop and distribute a notice that provides a clear explanation of privacy practices and an individual s privacy rights. Use and disclosure of PHI must be in a manner that is consistent with the health plan s Notice of Privacy Practices. Uses and disclosures must be outlined in Notice of Privacy Practices. Privacy Policy for Documentation of Compliance Activity Document retention Policy and procedures for document retention should be kept for a minimum of six years. Privacy Policy for Limitation on Access Identification of firewall workforce members Workforce member training A health plan must identify (by name or classification) the persons or classes of persons within its workforce who need access to PHI to carry out their duties. The health plan must also identify individuals who can access PHI, but may not necessarily do so as part of their job functions (e.g., CFO, IT personnel). The health plan must also identify the categories of PHI to which those persons or classes of persons need access in order to fulfill their job responsibilities, and should determine whether any appropriate limitations should be applied to that access. In addition, the health plan must take steps to ensure that only those persons or classes of persons identified as firewall workforce members have access to the PHI identified. Include list in policies and procedures. A covered entity is required to train all members of its workforce on the health plan s particular policies and procedures related to PHI under HIPAA, as necessary and appropriate PAGE GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

2 according to the function of each member s position within the workforce. Develop policies, procedures, forms, and training. Minimum Necessary Uses and Disclosures of PHI Recurring or routine uses or disclosures of PHI Use and disclosure of PHI to plan sponsor The health plan and plan sponsor shall take reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose when using or disclosing PHI or seeking PHI from another covered entity. A health plan must have policies and procedures for disclosures of PHI that are routine and recurring to limit the PHI that it discloses to the minimum necessary for the intended purpose. Health plan must obtain required written certification from plan sponsor. Privacy Policies for Handling Individual Rights Confidential communications Right of individual to request restriction on use or disclosure of PHI Right of individual to access own PHI Termination of restriction on use or disclosure of PHI Right of individual to request an amendment PHI that is incomplete or incorrect Individuals may request to receive PHI communications by alternative means or at alternative locations. Develop policies, procedures, and forms. Individuals have a right to request restrictions on uses and disclosures of PHI about the individual to carry out treatment, payment, and health care operations, and disclosures made to family members or persons who are involved in the health care of the individual. Develop policies, procedures, and forms. Individuals have the right to review or obtain copies of their own PHI. Develop policies, procedures, and forms. Develop policies, procedures, and forms. Individuals have the right to amend or correct their PHI if it is incomplete or incorrect, subject to some exceptions. Health plan is not required to amend PHI, but if not amended must include information about the request to amend if the PHI is transmitted to another entity. Develop policies, procedures, and forms. Right to request an accounting of disclosures. Individuals have the right to request an accounting of disclosures that are other than PAGE GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

3 Privacy Policies and Procedures for Using and Disclosing PHI treatment, payment and health operations that are performed through an electronic health record. Develop policies, procedures, and forms. Uses and disclosures of PHI when individual is present Limitations on uses and disclosure of PHI when individual not present Determination as to whether authorization is valid Verification of individuals who request PHI Personal Representatives Uses and disclosures of PHI to family members, relatives, close personal friends, or others authorized by individual (Personal Representatives) Terminating a restriction on the use or disclosure of PHI If the individual is present, the covered entity may use or disclose PHI if the covered entity obtains the individual s consent, provides an opportunity to object, or determines there is no objection based on circumstances (e.g., with a translator). If the individual is not present, the health plan may determine whether the disclosure is in the best interests of the individual and, if so, disclose only the PHI that is directly relevant to the person's involvement with the individual's care or payment related to the individual's healthcare or needed for notification purposes (e.g., individual is incapacitated). Develop policies and procedures. Authorization is required to certain uses and disclosures of PHI. Develop policies and procedures for determining if the authorization provided is valid. Develop policies and procedures for the verification of the identity of those requesting PHI. Include policies and procedures for: employee, spouse, domestic partner, civil union partner, older children, parent seeking the PHI of a minor child, authorized personal representative, public officials, and person involved in individual s care. Personal Representative may request PHI on individual s behalf. Individual must provide written designation. Policy and procedure should exist for verification of the identity of the Personal Representative requesting the PHI. Develop policies, procedures, and forms. Uses and disclosures for underwriting and A plan that performs underwriting (including but not limited to setting a plan s premium, PAGE GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

4 related purposes Limited data sets and data use agreements De-identification of PHI employee contributions or granting a premium reduction to an individual) may not use or disclose protected health information that is genetic information for underwriting purposes, except in the case of long term care coverage. Ensure that data use agreements cover the use and disclosure of limited data sets. Although still PHI, a covered entity may use and disclose limited data sets. Develop policies and procedures. De-identified Information is health information that does not identify an individual from which 18 specific identifiers have been removed and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. Policies and procedures for de-identifying PHI should include an explanation of identifiers. Develop policies and procedures. Re-identification of PHI Permitted uses and disclosures Outline permitted uses and disclosures of PHI. Uses and disclosures pursuant to an authorization Deceased individuals Outline permitted uses and disclosures of PHI by the health plan allowed pursuant to an authorization. Develop policies, procedures, and forms. Plan may disclose PHI of a deceased person to family or other individuals involved in the person s care prior to their death unless doing so is inconsistent with any prior expressed preference of the deceased, if known, unless individual has been deceased for 50 or more years. Privacy Policies and Procedures for Disclosure for Legal or Public Policy Reasons Whistleblowers Disclosures by workforce members who are victims of a crime Whistleblowers are protected from disclosure of PHI to oversight authorities. Develop policies and procedures. Disclosure of PHI to law enforcement or government agencies in certain cases for victims of a crime. PAGE GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

5 Uses and disclosures of PHI for judicial and administrative proceedings Uses and disclosures of PHI when required by law (e.g., disclosure to HHS when plan audited for compliance with HIPAA) Uses and disclosures of PHI for public health activities Disclosures of PHI about victims of abuse, neglect, or domestic violence A health plan may disclose PHI for judicial and administrative proceedings with notice to the individual. Disclosures for health oversight activities Disclosures for law enforcement purposes Uses and disclosures for cadaveric organ, eye or tissue Disclosures for Armed Forces activities Disclosures for workers compensation purposes Privacy Mini-Security Policies and Procedures Reasonable safeguards to protect PHI from unintentional use or disclosure Must have reasonable safeguards to protect PHI from unintentional use or disclosure of PHI. Miscellaneous Privacy Policies and Procedures Prohibition on conditioning treatment, payment, or healthcare operations on provision of authorization Business Associate contracts Develop policies, procedures, and model agreements outlining the handling and use of PHI PAGE GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

6 by Business Associate. Obtain/update Business Associate Agreement ( BAA ) from each Business Associate. Handling complaints Sanctions for violations Mitigation of harm Refraining from intimidating or retaliatory acts Complaints should be sent to, investigated, and tracked by the Privacy Officer. Develop policies, procedures, and forms. Must have sanctions against workforce members that violate privacy policies and procedures. Develop policies, procedures, and forms. Must, to extent practicable, mitigate any known harmful effect of a use or disclosure of PHI in violation of its own policies and procedures or the HIPAA regulations by its own workforce members or a business associate. May not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against an individual who exercises a HIPAA right or participates in the filing of a complaint either under the covered entity s own policies and procedures or with HHS. Develop policies and procedures. Include in training. Security Administrative Safeguard Policies and Procedures Security Management Process: Risk Management Security Management Process: Risk Analysis Security Management Process: Sanction Policy Security Management Process: Information System Activity Review Assign Security Responsibility (Security Official) Workforce Security: Authorization and/or Implement security measures to reduce the risk of security threats to ephi. Develop procedures. Document compliance. Conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ephi. Develop procedures. Document compliance. Apply appropriate sanctions against workforce members who fail to comply with the plan s Security policies and procedures. Implement procedures to regularly review information system activity records, such as audit logs, access reports, and security-incident tracking reports. Develop procedure. Appoint a security official to be responsible for development and implementation of Security policies and procedures. Document compliance. Maintain procedures to authorize and/or supervise workforce members who work with ephi or in areas where ephi might be accessed. Develop procedure or replace with reasonable, PAGE GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

7 Supervision Workforce Security: Workforce Clearance Procedure Workforce Security: Termination Procedures Information Access Management: Access Authorization Information Access Management: Access Establishment and Modification Security Awareness and Training: Protection from Malicious Software Security Awareness and Training: Log-in Monitoring Security Awareness and Training: Security Reminders appropriate, and equivalent alternative. Provide procedures to determine whether a particular workforce member s access to ephi is appropriate. Develop procedure or replace with reasonable, appropriate, and equivalent alternative. Provide procedures to terminate access to ephi when workforce member s employment terminates or change in job duties necessitates change in necessary access to ephi. Develop procedure or replace with reasonable, appropriate, and equivalent alternative. Provide policies and procedures to permit access to ephi (e.g., access to workstation, transaction, program, or process). Develop policy and procedure or replace with reasonable, appropriate, and equivalent alternative policy and procedure. Provide policies and procedures that are based upon health plan s access authorization policies to establish, document, review, and modify a user s right of access to a workstation, transaction, program, or process with PHI. Update policy and procedure or replace with reasonable, appropriate, and equivalent alternative policy and procedure. Provide procedures to guard against, detect, and report malicious software. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure. Provide procedures to monitor log-in attempts and to report discrepancies. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure. Provide periodic information security reminders. Document compliance or document compliance with reasonable, appropriate, and equivalent alternative. Note: While providing periodic Security reminders may be addressable, health plans are required to provide periodic training. Security Awareness and Training: Password Management Security Incident Procedures: Response and Reporting Provide procedures for creating, changing, and safeguarding passwords. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure. Implement procedures to identify and respond to suspected or known security incidents, mitigate to the extent practicable, harmful effects of known security incidents, and document PAGE GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

8 incidents and their outcomes. Develop policy and procedure. Contingency Plan: Data Backup Plan Contingency Plan: Disaster Recovery Plan Contingency Plan: Emergency Mode Operation Contingency Plan: Testing and Revision Procedures Contingency Plan: Applications and Data Criticality Analysis Business Associates Evaluation Update and maintain procedures to create and maintain retrievable exact copies of ephi. Develop procedure. Establish (and implement, as needed) procedures to restore any loss of ephi. Develop procedure. Establish (and implement, as needed) procedures to enable continuation of critical business processes and for protection of ephi while operating in the emergency mode. Develop Procedure. Provide procedures for periodic testing and revision of contingency plans. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure. Assess the relative criticality of specific applications and data in support of other contingency plan components. Document compliance with procedure or with reasonable, appropriate, and equivalent alternative. Establish written contracts or other arrangements with Business Associates ( BAs ) (or subcontractors) that documents satisfactory assurances that the BA will appropriately safeguard the information. Document compliance. Establish a plan for periodic technical and non-technical evaluation of the standards under this rule in response to environmental or operational changes affecting the security of ephi. Document compliance. Security Physical Safeguard Policies and Procedures Facility Access Control: Contingency Operations Facility Access Control: Facility Security Plan Provide procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure. Provide policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. Develop policy and procedure or replace PAGE GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

9 with reasonable, appropriate, and equivalent alternative policy and procedure. Facility Access Control: Access Control and Validation Procedures Facility Access Control: Maintenance Records Workstation Use: Function and Attributes Workstation Security: Function and Attributes Device and Media Control: Disposal Device and Media Control: Media Re-Use Device and Media Control: Accountability Device and Media Control: Data Backup and Storage Provide procedures to control and validate a person s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Develop procedures or replace with reasonable, appropriate, and equivalent alternative procedure. Provide policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (e.g., hardware, walls, doors, and locks). Develop policy and procedure or replace with reasonable, appropriate, and equivalent alternative policy and procedure. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access. Develop policies and procedures. Implement physical safeguards for all workstations that access ephi to restrict access to authorized users. Document compliance. Implement policies and procedures to address final disposition of ephi, and/or hardware or electronic media on which it is stored. Implement procedures for removal of ephi from electronic media with PHI before the media are available for reuse. Develop procedures. Maintain a record of the movements of hardware and electronic media and the person responsible for its movement. Document compliance or document compliance with reasonable, appropriate, and equivalent alternative. Create a retrievable, exact copy of EPHI, when needed, before movement of equipment. Document compliance or document compliance with reasonable, appropriate, and equivalent alternative. PAGE GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

10 Security Technical Safeguard Policies and Procedures Access Control: Unique User Identification Access Control: Encryption and Decryption Access Control: Emergency Access Procedure Access Control: Automatic Logoff Person or Entity Authentication Audit Controls: Activity Logs Transmission Security: Integrity Controls Transmission Security: Encryption Assign a unique name and/or number for identifying and tracking user identity. Document compliance. Provide mechanism to encrypt and decrypt ephi that is stored. Document compliance or document replacement with reasonable, appropriate, and equivalent alternative. Implement procedures for obtaining necessary ephi during an emergency. Develop procedures. Provide procedures that terminate an electronic session after a predetermined time of inactivity. Develop procedures or replace with reasonable, appropriate, and equivalent alternative procedures. Implement procedures to verify that a person or entity seeking access to ephi is the one claimed. Develop procedure. Implement Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ephi. Document compliance. Provide policies and procedures to establish security measures to ensure that electronically transmitted ephi is not improperly modified without detection. Develop policies and procedures or replace with reasonable, appropriate, and equivalent alternative procedures. Provide mechanism to encrypt ephi whenever deemed appropriate. Document compliance or compliance with reasonable, appropriate, and equivalent alternative. Breach Notification Risk assessment Notice of Breach to individuals, OCR, and media (if required) Must have policies and procedures in place to determine whether a breach exists. Develop policies, procedures, and forms. Should have model forms for tracking, investigating, and providing notification of Breach. Develop model forms. PAGE GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

11 Timeliness of Notification of Breach Notification of Breach methodology Should have process to provide timely notification including appropriate timing and process to obtain information from BA if BA experiences a breach. Documents providing methods for notifying individuals and OCR (and the media if required) Develop policies and procedures, including means to notify affected individuals or personal representatives and how to follow up if contact information is insufficient. Notification Content Notices must have specific content. Develop standard templates or forms. Note: This checklist is designed for use by employers sponsoring health plans. Additional requirements apply to other types of covered entities such as healthcare providers. PAGE GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016