DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment of a Privacy Office for the purpose of overseeing [YOUR COMPANY NAME] s obligations to maintain the privacy of protected health information (PHI) consistent with state and federal privacy laws in accordance with 45 CFR 164.530- Administrative Requirements. Policy It is [YOUR COMPANY NAME] policy to maintain a Privacy Office headed by the Privacy Officer responsible for all [YOUR COMPANY NAME] s privacy matters including policies and procedures and for assuring that all for [YOUR COMPANY NAME] s workforce members comply with such requirements. Definitions Refer to HIPAA-HITECH Privacy and Security Glossary. Procedures: 1. Appointment of Privacy Officer. [YOUR COMPANY NAME] will maintain a Privacy Office and appoint a Privacy Officer to be responsible for ensuring compliance with privacy requirements throughout [YOUR COMPANY NAME]. 2. Responsibilities of Privacy Officer. The Privacy Officer will lead the Privacy Office and have the responsibilities set forth in Exhibit A which will include receiving complaints related to privacy. 1 Clearwater Compliance LLC All Rights Reserved
3. Contacting the Privacy Officer. The Privacy Office can be contacted via [YOUR COMPANY NAME] secure email at PrivacyOffice@[YOUR COMPANY NAME] email address twenty-four (24) hours a day, seven (7) days a week. Incident and disclosure reports must be immediately completed in the online form located at http://incidentreports/. 4. Documentation and Retention. This version of the policy, together with any forms and other documentation created or obtained in accordance with the policy, will be retained by [YOUR COMPANY NAME] for at least seven (7) years from the date of creation or last use, whichever is later. 2 Clearwater Compliance LLC All Rights Reserved
Exhibit A: Responsibilities of the Privacy Office Purpose. The Privacy Office is responsible for [YOUR COMPANY NAME] s compliance with state and federal privacy and breach notification laws. Qualifications. The Privacy Office collectively will have experience in information management and be familiar with the day-to-day operations of [YOUR COMPANY NAME]. The Privacy Office collectively will have the ability to work well with [YOUR COMPANY NAME] s management including Information Security Office, Legal Counsel, Human Resources, Customers, Subcontractors, regulatory agencies and law officials. The Privacy Office will have a strong practical working knowledge of [YOUR COMPANY NAME] s operations and of state and federal privacy and breach notification regulations. Responsibilities: Under the leadership of the Privacy Officer, the Privacy Office will be responsible for: 1. Developing [YOUR COMPANY NAME] s privacy and breach notification policies and procedures in coordination with [YOUR COMPANY NAME] s management and legal counsel. 2. Investigating and maintaining a log of all reported incidences and follow-up activities related to [YOUR COMPANY NAME] and/or [YOUR COMPANY NAME] s Business Associates [see Privacy Policy #4 Reporting Violations, Sanctions and Mitigation and Privacy Policy # 15 Reporting Impermissible Uses and Disclosures]. 3. Monitoring and communicating changes in privacy laws and regulations and assuring that any necessary revisions are made to [YOUR COMPANY NAME] s privacy and breach notification policies and procedures in a timely manner. 4. Conducting periodic assessments of compliance with [YOUR COMPANY NAME] privacy and breach notification policies and procedures, and making [YOUR 3 Clearwater Compliance LLC All Rights Reserved
COMPANY NAME] management aware of any known or potential problems that will be addressed. 5. Participating in the identification of subcontractors that handle PHI on behalf of [YOUR COMPANY NAME] and ensuring that appropriate agreements and safeguards are implemented and maintained between [YOUR COMPANY NAME] and its vendors and subcontractors [see Privacy Policy #10 Uses By and Disclosures to Subcontractors and Third Parties]. 6. Investigating and following up, as appropriate, on requests and disclosures of PHI assigned to the Privacy Office [see Privacy Policy #5 Required Disclosures, Privacy Policy #6 Request for Health Record, Privacy Policy #7 Amendment of Health Information, Privacy Policy #8 Accounting of Disclosures, and Privacy Policy #9 Authorization to Use or Disclose PHI]. 7. Determining whether a charge for an accounting of disclosures is appropriate, and, if so, the amount of such charge [see Privacy Policy #8 Accounting of Disclosures]. 8. Maintaining, or ensuring the maintenance of, all documentation required by the Privacy and Breach Notification Rules as outlined in {YOUR COMPANY NAME} s Privacy and Breach Notification Policies and Procedures. 9. Ensuring the development and provision of [YOUR COMPANY NAME] s initial and ongoing privacy training for workforce members, including orientation for new workforce members and updates for current workforce members periodically and when necessary [see Privacy Policy #2 Privacy Training Requirements]. 10. Responding to Individual s concerns and complaints regarding [YOUR COMPANY NAME] privacy policies and procedures [see Privacy Policy # 16 Reporting and Responding to Privacy Complaints]. 11. Responding to and coordinating [YOUR COMPANY NAME] s response to privacy audits by Customers and regulatory agencies, and working with [YOUR 4 Clearwater Compliance LLC All Rights Reserved
COMPANY NAME] Management to assure that appropriate actions are taken to resolve any problems. 12. Collaborating with [YOUR COMPANY NAME] Information Security and Facilities Departments, and assisting in the development of appropriate administrative, physical and technical safeguards for the protection of PHI in [YOUR COMPANY NAME] s care [see Privacy Policy # 18 Data Safeguards] 13. Assisting [YOUR COMPANY NAME] s Human Resources department in developing appropriate disciplinary measures when workforce members violate [YOUR COMPANY NAME] privacy policies and procedures [see Privacy Policy #4 Reporting Violations, Sanctions and Mitigation]. 14. Cooperating with Customers and state and federal agencies, including the Department of Health and Human Services and the Office for Civil Rights, in any and all compliance reviews or investigations. Documentation This version of the policy, together with any forms and other documentation created or obtained in accordance with the policy, will be retained by [YOUR COMPANY NAME] for at least seven (7) years or from the date of creation or data of last use, whichever is later. Regulatory Authority 164.530 Administrative requirements. (a) (1) Standard: Personnel designations. (i) A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity. 5 Clearwater Compliance LLC All Rights Reserved
(ii) A covered entity must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by 164.520. (2) Implementation specification: Personnel designations. A covered entity must document the personnel designations in paragraph (a)(1) of this section as required by paragraph (j) of this section. 6 Clearwater Compliance LLC All Rights Reserved