Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification



Similar documents
HIPAA Compliance: Are you prepared for the new regulatory changes?

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security Checklist

When HHS Calls, Will Your Plan Be HIPAA Compliant?

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Information Security Overview

VMware vcloud Air HIPAA Matrix

HIPAA Compliance Guide

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA Security Alert

HIPAA Security COMPLIANCE Checklist For Employers

Datto Compliance 101 1

HIPAA Compliance Guide

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Healthcare Compliance Solutions

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security Rule Compliance

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

HIPAA/HITECH: A Guide for IT Service Providers

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Policies and Compliance Guide

HIPAA and Mental Health Privacy:

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA PRIVACY POLICIES AND PROCEDURES

HIPAA Security and HITECH Compliance Checklist

HIPAA Security Series

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

How To Write A Health Care Security Rule For A University

Security Is Everyone s Concern:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Metropolitan Living, LLC 151 W. Burnsville Parkway, Suite 101 Burnsville, MN Ph: (952) Fax: (651)

Joseph Suchocki HIPAA Compliance 2015

Harris County - Texas HIPAA Notice of Privacy Practices

HIPAA: In Plain English

The Practical Guide to HIPAA Privacy and Security Compliance

State HIPAA Security Policy State of Connecticut

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

An Effective MSP Approach Towards HIPAA Compliance

Healthcare Management Service Organization Accreditation Program (MSOAP)

C.T. Hellmuth & Associates, Inc.

The HIPAA Audit Program

Montclair State University. HIPAA Security Policy

HIPAA Policies and Procedures

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Gaston County HIPAA Manual

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

Krengel Technology HIPAA Policies and Documentation

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

HIPAA Security Matrix

Notice of Privacy Practices

Effective Date: March 23, 2016

ITS HIPAA Security Compliance Recommendations

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No A-94B, AFL-CIO. Notice of Privacy Practices

Visa Inc. HIPAA Privacy and Security Policies and Procedures

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Health Information Privacy Refresher Training. March 2013

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

Dr. Adam Apfelblat 5140 Highland Road Waterford Phone: (248) Fax: (248)

HealthStream Regulatory Script

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

UAB MY HEALTH REWARDS BIOMETRIC SCREENING PROGRAM NOTICE OF HEALTH INFORMATION PRACTICES

The HIPAA privacy rule established federal law to help protect the use and disclosure of patient information. The privacy rule prohibits a covered

Genworth Life Insurance Company Genworth Life Insurance Company of New York NOTICE OF PRIVACY PRACTICES

HIPAA BUSINESS ASSOCIATE AGREEMENT

Notice of Privacy Practices. Human Resources Division Employees Benefits Section

Transcription:

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices Notice of Privacy Practices Uses and disclosures consistent with Notice of Privacy Practices Health plans are required to develop and distribute a notice that provides a clear explanation of privacy practices and an individual s privacy rights. Use and disclosure of PHI must be in a manner that is consistent with the health plan s Notice of Privacy Practices. Uses and disclosures must be outlined in Notice of Privacy Practices. Privacy Policy for Documentation of Compliance Activity Document retention Policy and procedures for document retention should be kept for a minimum of six years. Privacy Policy for Limitation on Access Identification of firewall workforce members Workforce member training A health plan must identify (by name or classification) the persons or classes of persons within its workforce who need access to PHI to carry out their duties. The health plan must also identify individuals who can access PHI, but may not necessarily do so as part of their job functions (e.g., CFO, IT personnel). The health plan must also identify the categories of PHI to which those persons or classes of persons need access in order to fulfill their job responsibilities, and should determine whether any appropriate limitations should be applied to that access. In addition, the health plan must take steps to ensure that only those persons or classes of persons identified as firewall workforce members have access to the PHI identified. Include list in policies and procedures. A covered entity is required to train all members of its workforce on the health plan s particular policies and procedures related to PHI under HIPAA, as necessary and appropriate PAGE 1 2016 GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

according to the function of each member s position within the workforce. Develop policies, procedures, forms, and training. Minimum Necessary Uses and Disclosures of PHI Recurring or routine uses or disclosures of PHI Use and disclosure of PHI to plan sponsor The health plan and plan sponsor shall take reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose when using or disclosing PHI or seeking PHI from another covered entity. A health plan must have policies and procedures for disclosures of PHI that are routine and recurring to limit the PHI that it discloses to the minimum necessary for the intended purpose. Health plan must obtain required written certification from plan sponsor. Privacy Policies for Handling Individual Rights Confidential communications Right of individual to request restriction on use or disclosure of PHI Right of individual to access own PHI Termination of restriction on use or disclosure of PHI Right of individual to request an amendment PHI that is incomplete or incorrect Individuals may request to receive PHI communications by alternative means or at alternative locations. Develop policies, procedures, and forms. Individuals have a right to request restrictions on uses and disclosures of PHI about the individual to carry out treatment, payment, and health care operations, and disclosures made to family members or persons who are involved in the health care of the individual. Develop policies, procedures, and forms. Individuals have the right to review or obtain copies of their own PHI. Develop policies, procedures, and forms. Develop policies, procedures, and forms. Individuals have the right to amend or correct their PHI if it is incomplete or incorrect, subject to some exceptions. Health plan is not required to amend PHI, but if not amended must include information about the request to amend if the PHI is transmitted to another entity. Develop policies, procedures, and forms. Right to request an accounting of disclosures. Individuals have the right to request an accounting of disclosures that are other than PAGE 2 2016 GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

Privacy Policies and Procedures for Using and Disclosing PHI treatment, payment and health operations that are performed through an electronic health record. Develop policies, procedures, and forms. Uses and disclosures of PHI when individual is present Limitations on uses and disclosure of PHI when individual not present Determination as to whether authorization is valid Verification of individuals who request PHI Personal Representatives Uses and disclosures of PHI to family members, relatives, close personal friends, or others authorized by individual (Personal Representatives) Terminating a restriction on the use or disclosure of PHI If the individual is present, the covered entity may use or disclose PHI if the covered entity obtains the individual s consent, provides an opportunity to object, or determines there is no objection based on circumstances (e.g., with a translator). If the individual is not present, the health plan may determine whether the disclosure is in the best interests of the individual and, if so, disclose only the PHI that is directly relevant to the person's involvement with the individual's care or payment related to the individual's healthcare or needed for notification purposes (e.g., individual is incapacitated). Develop policies and procedures. Authorization is required to certain uses and disclosures of PHI. Develop policies and procedures for determining if the authorization provided is valid. Develop policies and procedures for the verification of the identity of those requesting PHI. Include policies and procedures for: employee, spouse, domestic partner, civil union partner, older children, parent seeking the PHI of a minor child, authorized personal representative, public officials, and person involved in individual s care. Personal Representative may request PHI on individual s behalf. Individual must provide written designation. Policy and procedure should exist for verification of the identity of the Personal Representative requesting the PHI. Develop policies, procedures, and forms. Uses and disclosures for underwriting and A plan that performs underwriting (including but not limited to setting a plan s premium, PAGE 3 2016 GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

related purposes Limited data sets and data use agreements De-identification of PHI employee contributions or granting a premium reduction to an individual) may not use or disclose protected health information that is genetic information for underwriting purposes, except in the case of long term care coverage. Ensure that data use agreements cover the use and disclosure of limited data sets. Although still PHI, a covered entity may use and disclose limited data sets. Develop policies and procedures. De-identified Information is health information that does not identify an individual from which 18 specific identifiers have been removed and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. Policies and procedures for de-identifying PHI should include an explanation of identifiers. Develop policies and procedures. Re-identification of PHI Permitted uses and disclosures Outline permitted uses and disclosures of PHI. Uses and disclosures pursuant to an authorization Deceased individuals Outline permitted uses and disclosures of PHI by the health plan allowed pursuant to an authorization. Develop policies, procedures, and forms. Plan may disclose PHI of a deceased person to family or other individuals involved in the person s care prior to their death unless doing so is inconsistent with any prior expressed preference of the deceased, if known, unless individual has been deceased for 50 or more years. Privacy Policies and Procedures for Disclosure for Legal or Public Policy Reasons Whistleblowers Disclosures by workforce members who are victims of a crime Whistleblowers are protected from disclosure of PHI to oversight authorities. Develop policies and procedures. Disclosure of PHI to law enforcement or government agencies in certain cases for victims of a crime. PAGE 4 2016 GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

Uses and disclosures of PHI for judicial and administrative proceedings Uses and disclosures of PHI when required by law (e.g., disclosure to HHS when plan audited for compliance with HIPAA) Uses and disclosures of PHI for public health activities Disclosures of PHI about victims of abuse, neglect, or domestic violence A health plan may disclose PHI for judicial and administrative proceedings with notice to the individual. Disclosures for health oversight activities Disclosures for law enforcement purposes Uses and disclosures for cadaveric organ, eye or tissue Disclosures for Armed Forces activities Disclosures for workers compensation purposes Privacy Mini-Security Policies and Procedures Reasonable safeguards to protect PHI from unintentional use or disclosure Must have reasonable safeguards to protect PHI from unintentional use or disclosure of PHI. Miscellaneous Privacy Policies and Procedures Prohibition on conditioning treatment, payment, or healthcare operations on provision of authorization Business Associate contracts Develop policies, procedures, and model agreements outlining the handling and use of PHI PAGE 5 2016 GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

by Business Associate. Obtain/update Business Associate Agreement ( BAA ) from each Business Associate. Handling complaints Sanctions for violations Mitigation of harm Refraining from intimidating or retaliatory acts Complaints should be sent to, investigated, and tracked by the Privacy Officer. Develop policies, procedures, and forms. Must have sanctions against workforce members that violate privacy policies and procedures. Develop policies, procedures, and forms. Must, to extent practicable, mitigate any known harmful effect of a use or disclosure of PHI in violation of its own policies and procedures or the HIPAA regulations by its own workforce members or a business associate. May not intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against an individual who exercises a HIPAA right or participates in the filing of a complaint either under the covered entity s own policies and procedures or with HHS. Develop policies and procedures. Include in training. Security Administrative Safeguard Policies and Procedures Security Management Process: Risk Management Security Management Process: Risk Analysis Security Management Process: Sanction Policy Security Management Process: Information System Activity Review Assign Security Responsibility (Security Official) Workforce Security: Authorization and/or Implement security measures to reduce the risk of security threats to ephi. Develop procedures. Document compliance. Conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ephi. Develop procedures. Document compliance. Apply appropriate sanctions against workforce members who fail to comply with the plan s Security policies and procedures. Implement procedures to regularly review information system activity records, such as audit logs, access reports, and security-incident tracking reports. Develop procedure. Appoint a security official to be responsible for development and implementation of Security policies and procedures. Document compliance. Maintain procedures to authorize and/or supervise workforce members who work with ephi or in areas where ephi might be accessed. Develop procedure or replace with reasonable, PAGE 6 2016 GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

Supervision Workforce Security: Workforce Clearance Procedure Workforce Security: Termination Procedures Information Access Management: Access Authorization Information Access Management: Access Establishment and Modification Security Awareness and Training: Protection from Malicious Software Security Awareness and Training: Log-in Monitoring Security Awareness and Training: Security Reminders appropriate, and equivalent alternative. Provide procedures to determine whether a particular workforce member s access to ephi is appropriate. Develop procedure or replace with reasonable, appropriate, and equivalent alternative. Provide procedures to terminate access to ephi when workforce member s employment terminates or change in job duties necessitates change in necessary access to ephi. Develop procedure or replace with reasonable, appropriate, and equivalent alternative. Provide policies and procedures to permit access to ephi (e.g., access to workstation, transaction, program, or process). Develop policy and procedure or replace with reasonable, appropriate, and equivalent alternative policy and procedure. Provide policies and procedures that are based upon health plan s access authorization policies to establish, document, review, and modify a user s right of access to a workstation, transaction, program, or process with PHI. Update policy and procedure or replace with reasonable, appropriate, and equivalent alternative policy and procedure. Provide procedures to guard against, detect, and report malicious software. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure. Provide procedures to monitor log-in attempts and to report discrepancies. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure. Provide periodic information security reminders. Document compliance or document compliance with reasonable, appropriate, and equivalent alternative. Note: While providing periodic Security reminders may be addressable, health plans are required to provide periodic training. Security Awareness and Training: Password Management Security Incident Procedures: Response and Reporting Provide procedures for creating, changing, and safeguarding passwords. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure. Implement procedures to identify and respond to suspected or known security incidents, mitigate to the extent practicable, harmful effects of known security incidents, and document PAGE 7 2016 GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

incidents and their outcomes. Develop policy and procedure. Contingency Plan: Data Backup Plan Contingency Plan: Disaster Recovery Plan Contingency Plan: Emergency Mode Operation Contingency Plan: Testing and Revision Procedures Contingency Plan: Applications and Data Criticality Analysis Business Associates Evaluation Update and maintain procedures to create and maintain retrievable exact copies of ephi. Develop procedure. Establish (and implement, as needed) procedures to restore any loss of ephi. Develop procedure. Establish (and implement, as needed) procedures to enable continuation of critical business processes and for protection of ephi while operating in the emergency mode. Develop Procedure. Provide procedures for periodic testing and revision of contingency plans. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure. Assess the relative criticality of specific applications and data in support of other contingency plan components. Document compliance with procedure or with reasonable, appropriate, and equivalent alternative. Establish written contracts or other arrangements with Business Associates ( BAs ) (or subcontractors) that documents satisfactory assurances that the BA will appropriately safeguard the information. Document compliance. Establish a plan for periodic technical and non-technical evaluation of the standards under this rule in response to environmental or operational changes affecting the security of ephi. Document compliance. Security Physical Safeguard Policies and Procedures Facility Access Control: Contingency Operations Facility Access Control: Facility Security Plan Provide procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. Develop procedure or replace with reasonable, appropriate, and equivalent alternative procedure. Provide policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. Develop policy and procedure or replace PAGE 8 2016 GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

with reasonable, appropriate, and equivalent alternative policy and procedure. Facility Access Control: Access Control and Validation Procedures Facility Access Control: Maintenance Records Workstation Use: Function and Attributes Workstation Security: Function and Attributes Device and Media Control: Disposal Device and Media Control: Media Re-Use Device and Media Control: Accountability Device and Media Control: Data Backup and Storage Provide procedures to control and validate a person s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Develop procedures or replace with reasonable, appropriate, and equivalent alternative procedure. Provide policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (e.g., hardware, walls, doors, and locks). Develop policy and procedure or replace with reasonable, appropriate, and equivalent alternative policy and procedure. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access. Develop policies and procedures. Implement physical safeguards for all workstations that access ephi to restrict access to authorized users. Document compliance. Implement policies and procedures to address final disposition of ephi, and/or hardware or electronic media on which it is stored. Implement procedures for removal of ephi from electronic media with PHI before the media are available for reuse. Develop procedures. Maintain a record of the movements of hardware and electronic media and the person responsible for its movement. Document compliance or document compliance with reasonable, appropriate, and equivalent alternative. Create a retrievable, exact copy of EPHI, when needed, before movement of equipment. Document compliance or document compliance with reasonable, appropriate, and equivalent alternative. PAGE 9 2016 GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

Security Technical Safeguard Policies and Procedures Access Control: Unique User Identification Access Control: Encryption and Decryption Access Control: Emergency Access Procedure Access Control: Automatic Logoff Person or Entity Authentication Audit Controls: Activity Logs Transmission Security: Integrity Controls Transmission Security: Encryption Assign a unique name and/or number for identifying and tracking user identity. Document compliance. Provide mechanism to encrypt and decrypt ephi that is stored. Document compliance or document replacement with reasonable, appropriate, and equivalent alternative. Implement procedures for obtaining necessary ephi during an emergency. Develop procedures. Provide procedures that terminate an electronic session after a predetermined time of inactivity. Develop procedures or replace with reasonable, appropriate, and equivalent alternative procedures. Implement procedures to verify that a person or entity seeking access to ephi is the one claimed. Develop procedure. Implement Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ephi. Document compliance. Provide policies and procedures to establish security measures to ensure that electronically transmitted ephi is not improperly modified without detection. Develop policies and procedures or replace with reasonable, appropriate, and equivalent alternative procedures. Provide mechanism to encrypt ephi whenever deemed appropriate. Document compliance or compliance with reasonable, appropriate, and equivalent alternative. Breach Notification Risk assessment Notice of Breach to individuals, OCR, and media (if required) Must have policies and procedures in place to determine whether a breach exists. Develop policies, procedures, and forms. Should have model forms for tracking, investigating, and providing notification of Breach. Develop model forms. PAGE 10 2016 GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

Timeliness of Notification of Breach Notification of Breach methodology Should have process to provide timely notification including appropriate timing and process to obtain information from BA if BA experiences a breach. Documents providing methods for notifying individuals and OCR (and the media if required) Develop policies and procedures, including means to notify affected individuals or personal representatives and how to follow up if contact information is insufficient. Notification Content Notices must have specific content. Develop standard templates or forms. Note: This checklist is designed for use by employers sponsoring health plans. Additional requirements apply to other types of covered entities such as healthcare providers. PAGE 11 2016 GALLAGHER BENEFIT SERVICES, INC. JANUARY 2016

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information