PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Transcription

1 PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy Officer and Contact Person 3. Privacy Policies and Procedures 4. Training of Workforce Members on Privacy Policies and Procedures 5. Review and Resolution of Complaints 6. Refraining from Intimidating or Retaliatory Acts 7. Safeguarding Patient Information 8. Uses and Disclosures for Company s Compliance with Law or Proper Administration 9. Contracting with Covered Entities 10. Contracting with Subcontractors 11. Patient Authorization for Use and Disclosure of Protected Health Information 12. Uses and Disclosures for Public Policy Purposes of Covered Entities 13. Interaction with Personal Representatives and Persons Involved in the Patient s Care 14. Incidental Uses and Disclosures of Protected Health Information 15. Uses and Disclosures of Protected Health Information for Marketing 16. Uses and Disclosures of Psychotherapy Notes

2 17. Uses and Disclosures of De-Identified Health Information and Limited Data Sets Information 18. Verification of Identity and Authority 19. Minimum Necessary Requirements 20. Mitigation of Unauthorized Uses and Disclosures 21. Government Investigations 22. Audits C. Patient Rights 23. Special Communication Requirements 24. Access to and Amendment of Protected Health Information 25. Accounting of Non-Routine Disclosures of Protected Health Information 26. Patient s Right to Request Restrictions on Certain Uses and Disclosures 27. Covered Entities Notices of Privacy Practices D. Responding to Security Breaches and Unauthorized Uses and Disclosures E. Forms 28. Responding to Security Breaches 29. Reporting Unauthorized Uses or Disclosures 30. Certification of Training and Agreement of Compliance 31. Business Associate Contract 32. Downstream Subcontractor Agreement If you are interested in licensing HIPAA compliance materials, please contact Daniel Gottlieb at / dgottlieb@mwe.com, or Stephen Bernstein at / sbernstein@mwe.com. 2

3 SECURITY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS 1. Glossary 2. Security Management Process Risk Analysis And Management 3. Security Management Process Sanction Policy 4. Security Management Process Information System Activity 5. Assigned Security Responsibility 6. Workforce Security Authorization and/or Supervision; Workforce Clearance 7. Workforce Security Termination Procedures 8. Information Access Management Isolating Health Care Clearinghouse Functions 9. Information Access Management Access Authorization 10. Information Access Management Access Establishment And Modification 11. Security Awareness And Training 12. Security Awareness And Training Protection From Malicious Software 13. Security Awareness And Training Log-In Monitoring 14. Security Awareness And Training Password Management 15. Security Incident Procedures Response And Reporting 16. Contingency Plan Data Backup Plan 17. Contingency Plan Disaster Recovery Plan 18. Contingency Plan Emergency Mode Operation Plan 19. Contingency Plan Testing And Revision Procedures

4 20. Contingency Plan Applications And Data Criticality Analysis 21. Administrative Safeguards - Evaluation 22. Subcontractor Contracts and Other Arrangements 23. Facility Access Controls Contingency Operations 24. Facility Access Controls Facility Security Plan 25. Facility Access Controls Access Control and Validation Procedures 26. Facility Access Controls Maintenance Records 27. Workstation Use 28. Physical Safeguards Workstation Security 29. Device And Media Controls Disposal 30. Device And Media Controls Media Re-use 31. Device And Media Controls Accountability 32. Device And Media Controls Data Backup And Storage 33. Access Control Unique User Identification 34. Access Control Emergency Access Procedure 35. Access Control Automatic Log-off 36. Access Control Encryption and Decryption 37. Technical Safeguards Audit Controls 38. Integrity Mechanism to Authenticate EPHI 39. Person or Entity Authentication 40. Transmission Security Integrity Controls 41. Transmission Security Encryption 42. Policies and Procedures and Documentation Requirements 2

5 43. Appendix A Security Policies Acknowledgement Form 44. Appendix B Termination Checklist 45. Appendix C Request to Delete Network Account 46. Appendix D Network Account Registration Form 47. Appendix E Remote Vendor Access Sample Procedures 48. Appendix F General Security Incident Response Instructions 49. Appendix G Vendor Acknowledgement Form 50. Appendix H Acknowledgement of Responsibility For Building Access 51. Appendix I Security Addendum 52. Appendix J HIPAA Assessment Model Roadmap For Business Associate If you are interested in licensing HIPAA compliance materials, please contact Daniel Gottlieb at / dgottlieb@mwe.com, or Stephen Bernstein at / sbernstein@mwe.com. 3