The regulation requiring documented Policies and Procedures From the HIPAA Privacy Rule (1996)
§164.530 Administrative requirements.
(i) (1) Standard: Policies and procedures.
A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.
The regulation requiring documented Information Security Policies and Procedures From the HIPAA Security Rule (2003)
§164.316 Policies and procedures and documentation requirements.
A covered entity must, in accordance with §164.306:
(a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). . . . A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
(b) (1) Standard: Documentation.
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form;
THIS IS NOT A SET OF TEMPLATES THAT YOU HAVE TO GO IN AND FILL OUT INFORMATION.
THIS IS NOT A ONE-SIZE-FITS-ALL MANUAL but is personalized to disclose YOUR policies and procedures based on how you run YOUR office!
Do you run your office exactly like any other office you know?
Then, how could you use the SAME policies and procedures as another office?
A CONSOLIDATED POLICY AND COMPLIANCE MANUAL PERSONALIZED TO YOUR PRACTICE!
PRIVACY RULE – SECURITY RULE – BILLING AND CODING COMPLIANCE DOCUMENTATION
This demonstrates your commitment to and the efforts you will undertake to maintain compliance with both federal and state rules and regulations.
Describes how Fraud, Waste and Abuse are actions that you will not tolerate and will conduct your company abiding by the regulations governing the proper coding and billing for the services you provide.
The HIPAA Privacy Rule established guidelines for the protection of confidential patient information. This is your commitment to and methods for meeting these requirements.
The HIPAA Security Rule is an extension of the Privacy Rule but deals exclusively with the protection of confidential patient information in electronic formats. This documents your commitment to and the methods you will use to meet these requirements
BREACH INFORMATION –
If you experience an unauthorized release of confidential information – regardless of how it happens, (Ransomware – hacking – email to the wrong person – stolen device etc.) – do you know what you are required to do and when? There is a separate section that identifies your liabilities and responsibilities.
Breach Notification Rule
Breach and Breach Notification – Additional Information
Breach Risk Assessment – Breach Notification Decision Process
HIPAA Final Rule – More On Breach Notification Rule Changes
HIPAA Final Rule – Breach Risk Assessment Factors for “Probability Standard”
HIPAA Final Rule – Breach Notification Guidance – Safe Harbor
FORMS –
Business Associates Agreement
Clinic Information Technology Policy
Clinic Password Policy
Facility Security Plan
Non-Disclosure (Confidentiality Agreement)
Non-Employee/Workman Log Form
Policy and Procedures – Employee Acknowledgment Form
Risk Management and the Risk Management Plan
Security Incident Report Form