HIPAA Policies for Business Associates

larger image

$298.00

A Complete Set of HIPAA Policy and Procedure Templates
for Business Associates of All Types and Sizes.

Fully updated for the HITECH Act, these editable Policy and Procedure templates are ready to be customized for your specific needs. Fifty-five templates covering every area required by HIPAA are fully compliant with HIPAA and the recent HITECH Act changes to HIPAA. This template collection is specially designed for HIPAA Business Associates, and is perfect for any Business Associate to meet their compliance obligations under HIPAA.

A complete set of Policies and Procedures is mandatory for HIPAA compliance. If you are ever investigated for or changed with a HIPAA violation, your Polices and Procedures are the first thing investigators will want to see. Make sure you are ready!

HIPAA requires certain Policies and Procedures for Business Associates. However, HIPAA has no specific requirements as to how long or short P&Ps must be, the form or format they must have, or the language that must be in them. Customize the templates in this product for your own unique needs and save thousands on attorney fees with this legally-valid template collection.

Policy and Procedure templates included in this collection require editing before use. You can easily edit these templates to align each one with your unique business and policy positions. All items included in this product are in Microsoft Word format.

Complete instructions and an editing guide are included with this product.

This product contains the following Policies and Procedures

1	General HIPAA Compliance Policy	164.104 164.306 HITECH 13041	Covered Entities and Business Associates, as defined in HIPAA and HITECH, must comply with all required parts and subparts of the regulations that apply to each type of Entity.
2	Policies & Procedures General Requirement	164.306; 164.316 164.312(b)(1) 164.530(i)	Implement reasonable and appropriate P&Ps to comply with all standards, implementation specifications, or other requirements. P&P changes must be appropriately documented.
3	Documentation Requirement	164.312(b)(2) 164.316 164.530 (j)	Maintain all P&Ps in written (may be electronic) form. If an action, activity or assessment must be documented, maintain written (may be electronic) records of all.
4	Documentation Retention Requirement	164.316 164.530(j)	Retain all required documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
5	Documentation Availability Requirement	164.310 164.316 164.530(j)	Make documentation available to those persons responsible for implementing the Policies and/or Procedures to which the documentation pertains.
6	Documentation Updates Requirement	164.310 164.316 164.530(j)	Review documentation periodically and update as needed, in response to environmental or operational changes affecting the security of PHI.
7	HHS Investigations Policy	160.308 164.310 164.312	CEs and BAs must implement policies & procedures to assure compliance with HHS investigation & recordkeeping requirements.
8	Breach Notification Policy	164.400 to 164.414	Requires CEs and BAs to comply with all Breach Notification requirements: risk analysis; determination of potential harm; notifications.
9	Assign Privacy Official Policy	164.530(a)	CEs and BA must assign an individual for all Privacy-related activities and compliance efforts; and to accept and process complaints.
10	State Law Preemption Policy	160.201 to 160.205	CEs and BAs must analyze and assess state law requirements related to data privacy & security; and HIPAA preemption impacts of state laws.
11	HIPAA Training Policy	164.530(b)	CEs and BAs must train all affected workforce members on their Policies & Procedures, as well as the basics of HIPAA, as needed.
12	PHI Uses & Disclosures Policy	164.502 to 164.514	CEs and BAs must establish methods and procedures to assure that all PHI uses & disclosures are in accord with HIPAA regs.
13	Patient Rights Policy	164.520 to 164.528	CEs (and BAs optionally) must implement policies & procedures to assure the lawful provision of Patient Rights as called for in HIPAA regs.
14	Complaints Policy	164.530(d) 164.530(a)	CEs and BAs must establish methods and procedures to assure the proper handling of, and response to, all complaints received.
15	Risk Management Process Policy Required	164.302 to 164.318	Establishes the overall Risk Management process that CEs and BAs must implement to meet Privacy & Security Rule compliance requirements.
16	Risk Analysis Required Standard	164.308(a)(1)	Conduct assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.
17	Risk Management Required Standard	164.308(a)(1)	Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a).
18	Sanction Policy Required Standard	164.308(a)(1)	Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
19	Information System Activity Review Required Standard	164.308(a)(1)	Implement procedures to regularly review information system activity: audit logs; access reports; and security incident reports; etc.
20	Assigned Security Responsibility Required Standard	164.308(a)(2)	Assign security responsibility. Identify Security Official responsible for development and implementation of required P&Ps.
21	Authorization & Supervision Procedures Addressable Standard	164.308(a)(3)	Implement procedures for authorization and/or supervision of workers who work with ePHI or in locations where it might be accessed.
22	Workforce Clearance Procedures Addressable Standard	164.308(a)(3)	Implement procedures to determine that the access of a workforce member to ePHI is appropriate.
23	Termination Procedures Addressable Standard	164.308(a)(3)	Implement procedures for terminating access to ePHI when the employment ends or as required by (a)(3)(ii)(B) of this section.
24	Access Authorization Addressable Standard	164.308(a)(4)	Implement policies and procedures for granting access to ePHI, for workstations, transactions, programs, processes, or other mechanisms.
25	Access Establishment and Modification Addressable Standard	164.308(a)(4)	Implement P&Ps, based on Access Authorization policies, to establish, document, review, and modify user's rights of access to workstations, transactions, programs, or processes.
26	Security Reminders Addressable Standard	164.308(a)(5)	Implement periodic reminders of security and information safety best practices.
27	Protection from Malicious Software Addressable Standard	164.308(a)(5)	Implement Procedures for guarding against, detecting, and reporting malicious software.
28	Log-in Monitoring Addressable Standard	164.308(a)(5)	Implement Procedures for monitoring and reporting log-in attempts and discrepancies.
29	Password Management Addressable Standard	164.308(a)(5)	Implement Procedures for creating, changing, and safeguarding appropriate passwords.
30	Security Incident Procedures Required Standard	164.308(a)(6) 164.400 to 164.414	Identify and respond to suspected or known security incidents. Mitigate harmful effects. Document security incidents and their outcomes.
31	Data Backup Plan Required Standard	164.308(a)(7)	Establish and implement procedures to create and maintain retrievable, exact copies of ePHI during unexpected negative events.
32	Disaster Recovery Plan Required Standard	164.308(a)(7)	Establish (and implement as needed) procedures to restore any loss of data.
33	Emergency Mode Operation Plan Required Standard	164.308(a)(7)	Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of ePHI while operating in emergency mode.
34	Testing and Revision Procedures Addressable Standard	164.308(a)(7)	Implement procedures for periodic testing and revision of contingency and emergency plans.
35	Applications and Data Criticality Analysis Addressable Standard	164.308(a)(7)	Assess the relative criticality of specific applications and data in support of other contingency plan components.
36	Evaluation Policy Required Standard	164.308(a)(8)	Perform periodic technical & nontechnical evaluations, to establish how well security P&Ps meet the requirements of this subpart.
37	Business Associates Policy Required Standard	164.308(b)(1) 164.410 164.502(e) 164.504(e)	CE’s must obtain, and BA’s must provide, written satisfactory assurances that all ePHI and PHI will be appropriately safeguarded.
38	Contingency Operations Procedures Addressable Standard	164.310(a)(1-2)	Establish (and implement as needed) procedures that allow facility access to support restoration of lost data in the event of an emergency.
39	Facility Security Plan Addressable Standard	164.310(a)(1-2)	Implement P&P’s to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
40	Access Control and Validation Procedures Addressable Standard	164.310(a)(1-2)	Implement procedures to control and validate individual access to facilities based on role or function; including visitor control, and access control for software testing and revision.
41	Maintenance Records Addressable Standard	164.310(a)(1-2)	Implement P&Ps to document repairs and changes to physical elements of a facility related to security (hardware, walls, doors, locks, etc.).
42	Workstation Use Required Standard	164.310(b-c)	Implement P&Ps that specify the proper functions, procedures, and appropriate environments of workstations that access ePHI.
43	Workstation Security Required Standard	164.310(b-c)	Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.
44	Media Disposal & Disposition Required Standard	164.310(d)(1-2)	Implement P&Ps to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.
45	Media Re-use Required Standard	164.310(d)(1-2)	Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.
46	Hardware & Media Accountability Addressable Standard	164.310(d)(1-2)	Maintain records of the movements of hardware and electronic media, and any person responsible therefore.
47	Data Backup and Storage Addressable Standard	164.310(d)(1-2) 164.308(a)(7)	The Data Backup Plan defines what data is essential for continuity after damage or destruction of data, hardware, or software. Risk Analysis determines what to backup.
48	Unique User Identification Required Standard	164.306 164.312(a)(1-2)	Assign a unique name and/or number for identifying and tracking user identity.
49	Emergency Access Procedure Required Standard	164.104 164.306 164.312(a)(1)	Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
50	Automatic Logoff Addressable Standard	164.306 164.312(a)(1-2)	Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
51	Encryption and Decryption Addressable Standard	164.312(a)(1-2)	Implement an appropriate mechanism to encrypt and decrypt ePHI.
52	Audit Controls Required Standard	164.312(b)	Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
53	Integrity Controls Policy Addressable Standard	164.312(c)(1-2)	Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
54	Person or Entity Authentication Required Standard	164.312(d)	Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
55	Integrity Controls Procedures Addressable Standard	164.312(c)(1-2) 164.312(e)(1-2)	Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.