1 / 48

HIPAA Policies and Procedures

HIPAA Policies and Procedures. Beth Manley ISAC Compliance Officer August 28, 2018. Disclaimer.

rlola
Download Presentation

HIPAA Policies and Procedures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Policies and Procedures Beth Manley ISAC Compliance Officer August 28, 2018

  2. Disclaimer • The Iowa State Association of Counties (ISAC) provides education and information primarily as a general service to ISAC members.  This communication, or any other communication with ISAC, does not create an attorney-client relationship.  The information provided should not be interpreted or used as a substitute for a legal opinion from your county attorney or otherwise retained and qualified legal counsel.

  3. Documentation of Security Policies and Procedures • 45 CFR § 164.316 Policies and procedures and documentation requirements. • A covered entity or business associate must, in accordance with § 164.306: • (a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.

  4. Documentation of Security Policies and Procedures Continued • (b)(1) Standard: Documentation. • (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and • (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. • (2) Implementation specifications: • (i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. • (ii) Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. • (iii) Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

  5. Documentation of Security Policies and Procedures Continued • 45 CFR § 164.306(b) • (1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. • (2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors: • (i) The size, complexity, and capabilities of the covered entity or business associate. • (ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities. • (iii) The costs of security measures. • (iv) The probability and criticality of potential risks to electronic protected health information.

  6. Security Standard Matrix https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf

  7. Documentation of Privacy Policies and Procedures • 45 CFR § 164.530(i) • (1) Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart.

  8. Documentation of Privacy Policies and Procedures Continued • (2) Standard: Changes to policies and procedures. • (i) A covered entity must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of this subpart or subpart D of this part. • (ii) When a covered entity changes a privacy practice that is stated in the notice described in § 164.520, and makes corresponding changes to its policies and procedures, it may make the changes effective for protected health information that it created or received prior to the effective date of the notice revision, if the covered entity has, in accordance with § 164.520(b)(1)(v)(C), included in the notice a statement reserving its right to make such a change in its privacy practices; or • (iii) A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (i)(5) of this section.

  9. Documentation of Privacy Policies and Procedures Continued • (3) Implementation specification: Changes in law. Whenever there is a change in law that necessitates a change to the covered entity’s policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice required by § 164.520, the covered entity must promptly make the appropriate revisions to the notice in accordance with § 164.520(b)(3). Nothing in this paragraph may be used by a covered entity to excuse a failure to comply with the law.

  10. Documentation of Privacy Policies and Procedures Continued • (4) Implementation specifications: Changes to privacy practices stated in the notice. • (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: • (A) Ensure that the policy or procedure, as revised to reflect a change in the covered entity's privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications of this subpart; • (B) Document the policy or procedure, as revised, as required by paragraph (j) of this section; and • (C) Revise the notice as required by § 164.520(b)(3) to state the changed practice and make the revised notice available as required by § 164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. • (ii) If a covered entity has not reserved its right under § 164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that: • (A) Such change meets the implementation specifications in paragraphs (i)(4)(i)(A)-(C) of this section; and • (B) Such change is effective only with respect to protected health information created or received after the effective date of the notice.

  11. Documentation of Privacy Policies and Procedures Continued • (5) Implementation specification: Changes to other policies or procedures. A covered entity may change, at any time, a policy or procedure that does not materially affect the content of the notice required by § 164.520, provided that: • (i) The policy or procedure, as revised, complies with the standards, requirements, and implementation specifications of this subpart; and • (ii) Prior to the effective date of the change, the policy or procedure, as revised, is documented as required by paragraph (j) of this section.

  12. Documentation of Privacy Policies and Procedures Continued • (j)(1) Standard: Documentation. A covered entity must: • (i) Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form; • (ii) If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and • (iii) If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation. • (iv) Maintain documentation sufficient to meet its burden of proof under § 164.414(b).

  13. Documentation of Privacy Policies and Procedures Continued • (2) Implementation specification: Retention period. A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.

  14. What Should A Policy Have? • A clear description of the rule • Referenced code citation • Procedure that is in place to comply with the rule

  15. OCR Audit Program Findings • Phase 1 • Lack of customized policies and procedures • Phase 2 • Entities were rated on a scale from 1-5 with 1 being the best score and 5 being the worst. • A score of 4 meant “Audit results indicate the entity made negligible efforts to comply with the audited requirements - e.g. policies and procedures submitted for review are copied directly from an association template; evidence of training is poorly documented and generic.”

  16. Iowa Counties and Regions Sample Policy

  17. Updates to Sample Policy

  18. Workforce Designation

  19. Hybrid Entity

  20. Affiliated Covered Entity Designation

  21. HIPAA Record Retention Policy

  22. Privacy Manual • May require less customization than the Security Manual • Make sure to fill in all blank lines and customize forms • Name of privacy officer • Point of contacts • Addresses • Actual forms used

  23. Accessing PHI Policy

  24. Individual Request for PHI Form

  25. Authorization for Disclosure of PHI

  26. Group Health Plan Policy

  27. HIPAA Privacy and Security Amendment

  28. HIPAA Privacy and Security Amendment

  29. HIPAA Privacy and Security Amendment

  30. Notice of Privacy Practices

  31. Notice of Privacy Practices Continued

  32. Notice of Privacy Practices Continued

  33. Privacy Officer Designation Policy

  34. Training Policy

  35. Employee Confidentiality Agreement

  36. Security Manual • Most of the customization will likely occur in the Security Manual because every entity has a unique IT system • Make sure to include your IT team when updating the Security Manual • Some language may be outdated • Safeguard standards may have changed • Make sure you are doing what your policy says you are doing

  37. Assigned Security Responsibility Policy

  38. Information System Activity Review Policy

  39. HIPAA Workforce Clearance Policy

  40. Termination Procedures Policy

  41. Attachment to Termination Procedures Policy

  42. Password Management Policy

  43. Disaster Recovery Plan Policy

  44. Facility Access Control Policy

  45. Server, Workstation, and Mobile Systems Security Policy

  46. Access Control Policy

  47. Upcoming Webinar • October 9th 10:30-11:30 • Gary Jones-HIPAA 101 for Home Health Care Aides

  48. Questions? Beth Manley515-244-7181bmanley@iowacounties.org

More Related