HIPAA GENERAL POLICIES & PROCEDURES

Similar documents
HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

BUSINESS ASSOCIATE AGREEMENT

ADMINISTRATIVE REQUIREMENTS OF HIPAA

BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

Business Associate Agreement

Louisiana State University System

Business Associate Agreement

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

BUSINESS ASSOCIATE AGREEMENT

University Healthcare Physicians Compliance and Privacy Policy

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

How To Protect Your Health Care From Being Hacked

BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS

BUSINESS ASSOCIATE AGREEMENT. Recitals

INDIVIDUAL HIPAA RIGHTS (Health Insurance Portability and Accountability Act)

Executive Memorandum No. 27

BUSINESS ASSOCIATE AGREEMENT

COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA BUSINESS ASSOCIATE AGREEMENT

Can Your Diocese Afford to Fail a HIPAA Audit?

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

HIPAA Compliance And Participation in the National Oncologic Pet Registry Project

BUSINESS ASSOCIATES [45 CFR (e), (e), (d) and (e)]

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

BUSINESS ASSOCIATE AGREEMENT

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

Sample Business Associate Agreement Provisions

PATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03)

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

ADDENDUM TO ADMINISTRATIVE SERVICES AGREEMENT FOR HIPAA PRIVACY/SECURITY RULES

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Business Associate Agreement

2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE (Privacy Rule)

Montclair State University. HIPAA Security Policy

FirstCarolinaCare Insurance Company Business Associate Agreement

Business Associates Agreement

DEPARTMENT OF MENTAL HEALTH AND DEVELOPMENTAL DISABILITIES

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Business Associate Addendum

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Definitions. Catch-all definition:

HIPAA PRIVACY POLICIES AND PROCEDURES

Preferred Professional Insurance Company Subcontractor Business Associate Agreement

HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreements and Similar Arrangements

HIPAA Privacy and Business Associate Agreement

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Privacy Summary for Fully-insured Employer Groups

Arizona Medical Information Exchange Proof Of Concept. Privacy & Security Policy Manual version 1.0

BUSINESS ASSOCIATES [45 CFR (e), (e), (d) and (e)]

BUSINESS ASSOCIATE AGREEMENT TERMS

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

HIPAA Business Associate Contract. Definitions

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

HIPAA BUSINESS ASSOCIATE ADDENDUM

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010

HIPAA Agreements Overview, Guidelines, Samples

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

HIPAA BUSINESS ASSOCIATE AGREEMENT

Enclosure. Dear Vendor,

Gaston County HIPAA Manual

RUTGERS POLICY. Policy Name: Standards for Privacy of Individually Identifiable Health Information

Disclaimer: Template Business Associate Agreement (45 C.F.R )

BUSINESS ASSOCIATE AGREEMENT

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT

Snake River School District No. 52 HIPAA BUSINESS ASSOCIATE AGREEMENT (See also Policy No. 7436, HIPAA Privacy Rule)

HIPAA POLICY REGARDING BUSINESS ASSOCIATES

DHHS POLICIES AND PROCEDURES

DRAFT BUSINESS ASSOCIATES AGREEMENT

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

BUSINESS ASSOCIATE AGREEMENT

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION

TABLE OF CONTENTS. University of Northern Colorado

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

CHAPTER 7 BUSINESS ASSOCIATES

INTERMACS REGISTRY BUSINESS ASSOCIATE AGREEMENT

The Institute of Professional Practice, Inc. Business Associate Agreement

Iowa Health Information Network BUSINESS ASSOCIATE AGREEMENT

Medical Society of Virginia 2924 Emerywood Parkway, Ste 300 Richmond, VA Fax:

BUSINESS ASSOCIATE AGREEMENT

ADDENDUM 5 - BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

Business Associates Policy HS 9430

SaaS. Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT. Emory University and/or Emory Healthcare, Inc. ( Emory ) ( Covered Entity ) and

Transcription:

HIPAA GENERAL POLICIES & PROCEDURES Index 1. Introduction 2. Amendments 3. Privacy Notice 4. Business Associate Agreements 5. Access 6. Risk Analysis 7. Risk Management 8. Privacy and Security Officer 9. Training 10. Privacy and Security Incidents 11. Sanctions 12. Mitigation 13. Documentation 14. Administrative Requirements 1. Introduction The District s HIPAA Policies and Procedures (Code nos. 424.1 424.6) are designed to comply with the privacy and security standards under the Health Insurance Portability and Accountability Act (HIPAA), and apply to the District s group health plans (the covered entities ). All of the District s HIPAA Policies and Procedures shall at all times be interpreted consistent with the HIPAA privacy and security standards set forth in 45 CFR Parts 160 and 164, and any new or amended HIPAA statutes and regulations. Nothing in the District s Policies and Procedures shall be interpreted as granting any additional rights to individuals, or placing any additional obligations on the District s group health plans, other than those required by the Privacy and Security Rules or any other applicable law. Nor shall the Policies and Procedures be considered contractual in nature. 2. Amendments The District s Policies and Procedures may be revised at any time in accordance with the HIPAA Privacy and Security Rules and any new or amended HIPAA statutes and regulations, and shall be revised if necessitated by any change in law. The Policies & Procedures shall be reviewed periodically, and update as needed, in response to environmental or operational changes affecting the privacy or security of protected health information. The group plans must provide their business associates with all relevant changes to the Polices and Procedures. WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 1 of 6

3. Privacy Notice The covered entities shall adopt a Privacy Notice regarding potential uses and disclosures of protected health information (PHI) and individuals rights and the covered entities legal duties with respect to PHI. Where the covered entity is a group health plan which provides benefits solely through an insurance contract with a health insurance issuer or HMO, the covered entity shall maintain a Privacy Notice and shall provide the Privacy Notice to any person upon request. If the covered entity is a group health plan which does not provide benefits solely through an insurance contract, the Privacy Notice must be provided to individuals as follows: At the time of enrollment, to new enrollees; Within 60 days of a material revision to the Privacy Notice, to individuals covered by the plan; To any person upon request; and At least once every three years, the health plan must notify individuals covered by the plan of the availability of the Privacy Notice and how to obtain it. The Privacy Notice and its terms may be revised, and the revisions may be effective for all PHI maintained by the covered entities, to the full extent allowed by the Privacy Rules. If the covered entities maintain a web site providing information about their benefits, they must post the Privacy Notice on the web site and make the notice available electronically through the web site. 4. Business Associate Agreements The covered entities must, on a continuous basis, identify all business associates, who are those persons or entities who perform certain functions or activities that involve the use or disclosure of protected health information on behalf of, or which provides services to, a covered entity. Employees of covered entities are not business associates. Business associate functions and activities include: claims processing or administration; data analysts, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services include: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. The covered entities may permit a business associate to create, receive, maintain, or transmit electronic protected health information on their behalf only if the covered entities obtain satisfactory assurances that the business associate will appropriately safeguard the information and comply with the privacy and security rules. The covered entities shall therefore require all current and future business associates to execute a business associate agreement, or an amendment to a business associate agreement, which provides that the business associate will comply with HIPAA and notify the covered applicable covered entity of any privacy or security incidents or breaches. WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 2 of 6

If the covered entities learn of a pattern of activity or practice of the business associate that constitutes a material breach or violation of the business associate s obligations under the contract, the covered entities must take reasonable steps to cure the breach or end the violation, as may be applicable. If such steps are unsuccessful, the covered entities must terminate the contract if feasible, or if termination is not feasible the covered entities must report the problem to the Department of Health and Human Services (HHS). 5. Access The covered entities will create, change, and safeguard passwords with regard to employees whose duties involve the benefit plan(s) at issue, as necessary to protect electronic protected health information (EPHI). The covered entities will provide for password protection for the work computers of those employees whose duties involve the benefit plan(s) at issue, and for the computer system(s) used by such individuals. The passwords will be changed following termination of the employee or other significant change in circumstances. The covered entities will, with regard to those employees whose duties involve the benefit plan(s) at issue, implement one or more of the following procedures if possible using their current hardware and software capabilities: limit the number of log-in attempts; provide notice to the security official if the maximum number of attempts is exceeded; lock the system to prevent access with that particular user s name if the maximum number of attempts is exceeded; etc. 6. Risk Analysis The Covered entities shall assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the entities, if any. The risk analysis shall be overseen and directed by the designated security official. The goal of risk analysis is to identify potential security risks, the probability of occurrence, and the magnitude of the risk. The Covered entities shall periodically review and update their risk analysis, annually or more often if there are significant changes in the operating practices or procedures, personnel, physical environment, or computer hardware or software systems. All risk analysis documentation shall be retained for six (6) years. 7. Risk Management The Covered entities shall implement security measures sufficient to reduce risks and vulnerabilities to EPHI held by the entity, if any, to a reasonable and appropriate level. Risk management involves eliminating or reducing unacceptable risks to reasonable levels, and maintaining the lower acceptable level of risk over time. The goal of risk management is to: WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 3 of 6

(1) Ensure the confidentiality, integrity, and availability of all EPHI the covered entities create, receive, maintain, or transmit; (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information; (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the HIPAA Privacy Rules; and (4) Ensure compliance with this subpart by their workforce. In deciding what security measures to use, the covered entities must take into consideration the following factors: 1. The size, complexity and capabilities of the covered entities. 2. The covered entities technical infrastructure, hardware, and software security capabilities. 3. The costs of security measures. 4. The probability and criticality (the degree of potential harm) of potential risks to EPHI. Cost cannot be the sole factor in the decision whether to implement an addressable implementation specification. The Covered entities shall periodically review and update their risk analysis, and, if warranted as a result thereof, implement reasonable and appropriate security measures to address any new or increased risks or vulnerabilities to EPHI held by the entities which are not adequately addressed by current security measures. 8. Privacy and Security Officer The covered entities shall designate privacy and security officials, who may be the same or different individuals, responsible for the development and implementation of these Policies and Procedures, and a contact person or office responsible for receiving notice of any privacy and security violations and to provide further information about matters covered by the privacy and security rules and these Policies and Procedures. The privacy and security officials and contact person functions may be fulfilled by the same or different persons. The privacy and security officials are authorized to have direct access or communication with officers, administrators and/or directors, as applicable, as necessary for compliance with these Policies and Procedures and the Privacy and Security Rules. 9. Training The covered entities shall train all members of their work force who may receive PHI on these Policies and Procedures, as necessary and appropriate for the workforce members to carry out their function within the covered entity. Training shall be provided to new workforce members who may receive PHI within a reasonable period of time after WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 4 of 6

joining the covered entity s workforce. Training must also be provided as needed, to each member of the workforce whose functions are affected by a material change in these Policies and Procedures, within a reasonable period of time after the change takes effect. 10. Privacy and Security Incidents The covered entities shall provide a process for individuals to identify and respond to privacy and security incidents, and to report violations of these Policies and Procedures or the Privacy or Security Rules. Privacy and security incidents and violations must be reported to the designated privacy or security official or the designated contact person. The privacy or security official or contact person shall reasonably investigate any privacy or security incident or violation and determine whether and what responsive action or remedial measures, if any, are appropriate, and shall then act on this determination. The privacy or security official shall take reasonable steps to preserve evidence; mitigate, to the extend possible, the situation that caused the incident; document the incident and the outcome; and evaluate privacy and security incidents as part of ongoing risk management. 11. Sanctions Where the privacy or security official has determined a member of its workforce has failed to comply with these Policies and Procedures or the Privacy or Security Rules, the covered entities shall apply sanctions against the workforce member. Depending on the nature and severity of the failure to comply, sanctions may include, but are not limited to, verbal warning, written warning, suspension, or termination. The determination of the appropriate sanction may take into account the severity of the breach, intent, malice, prior offenses, the effect of the breach, and other relevant circumstances. Sanctions may be initiated at any level without prior resort to lesser forms of sanction. 12. Mitigation The covered entities shall mitigate, to the extent practicable, any harmful effect known to the covered entities of a violation of these Policies and Procedures or the Privacy or Security Rules by the covered entities or their business associates. 13. Documentation The covered entities must maintain the Policies and Procedures, any documentation required by the Privacy and Security Rules to be in writing, and a record of any action, activity, or designation required by the Privacy and Security Rules to be documented, for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. Documentation may be maintained in written or electronic form. The documentation must be made available to those persons responsible for implementing the procedures to which the documentation pertains. The documentation shall be reviewed periodically, and update as needed, in response to environmental or operational changes affecting the privacy or security of PHI. WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 5 of 6

14. Administrative Requirements a. No Retaliation: The covered entities may not intimidate, threaten, coerce, discriminate against, or take retaliatory action against individuals asserting rights under HIPAA. b. Waiver of Rights: The covered entities may not require individuals to waive their rights under HIPAA as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits. c. Policies and Procedures: The covered entities must maintain and implement these Policies and Procedures. d. Group Health Plans: Group health plans which provide health benefits solely through an insurance contract and/or which do not create or receive EPHI are not necessarily subject to certain HIPAA requirements. Nothing in these Policies and Procedures shall be interpreted as granting any additional rights to individuals, or placing any additional obligations on the covered entities, other than those required by the Privacy and Security Rules. Approved 03-07-11 Reviewed 6-13-16 Revised WEST DES MOINES COMMUNITY SCHOOL BOARD OF EDUCATION Page 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information