The HIPAA Store : RSS Product Feed :: HIPAA Policies for Business Associates http://www.hipaastore.com/ en Copyright (c) 2010 HIPAA Group, Inc. sales@hipaastore.com (HIPAA Group, Inc.) sales@hipaastore.com (HIPAA Group, Inc.) Mon, 18 Jan 2010 08:47:22 -0800 Zen-Cart v. v 2.1.4 14.02.2008 15:26 RSS 2.0 Feed 1440 HIPAA Policies for Business Associates http://www.hipaastore.com/hipaa-policies-for-business-associates-p-25.html http://www.hipaastore.com/index.php?main_page=product_reviews&products_id=25 HIPAA Policies for Business Associates


A Complete Set of HIPAA Policy and Procedure Templates
for Business Associates of All Types and Sizes.

Fully updated for the HITECH Act, these editable Policy and Procedure templates are ready to be customized for your specific needs. Fifty-five templates covering every area required by HIPAA are fully compliant with HIPAA and the recent HITECH Act changes to HIPAA. This template collection is specially designed for HIPAA Business Associates, and is perfect for any Business Associate to meet their compliance obligations under HIPAA.

A complete set of Policies and Procedures is mandatory for HIPAA compliance. If you are ever investigated for or changed with a HIPAA violation, your Polices and Procedures are the first thing investigators will want to see. Make sure you are ready!

HIPAA requires certain Policies and Procedures for Business Associates. However, HIPAA has no specific requirements as to how long or short P&Ps must be, the form or format they must have, or the language that must be in them. Customize the templates in this product for your own unique needs and save thousands on attorney fees with this legally-valid template collection.

Policy and Procedure templates included in this collection require editing before use. You can easily edit these templates to align each one with your unique business and policy positions. All items included in this product are in Microsoft Word format.

Complete instructions and an editing guide are included with this product.

This product contains the following Policies and Procedures

1

 General HIPAA
Compliance Policy		 164.104
164.306
HITECH 13041		 Covered Entities and Business Associates, as defined in HIPAA and HITECH, must comply with all required parts and subparts of the regulations that apply to each type of Entity.

2

 Policies & Procedures
General Requirement		 164.306
164.312(b)(1)
164.530(i)		 Implement reasonable and appropriate P&Ps to comply with all standards, implementation specifications, or other requirements. P&P changes must be appropriately documented.

3

 Documentation Requirement 164.530(j)(1)(ii)164.530(j)(1)(iii)164.312(b)(2)(i) Maintain all P&Ps in written (may be electronic) form. If an action, activity or assessment must be documented, maintain written (may be electronic) records of all.

4

Documentation Retention
Requirement

 164.312(b)(2)(ii) Retain all required documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

5

Documentation Availability
Requirement

 164.312(b)(2)(iii) Make documentation available to those persons responsible for implementing the Policies and/or Procedures to which the documentation pertains.

6

Documentation Updates
Requirement

 164.312(b)(2)(iii) Review documentation periodically and update as needed, in response to environmental or operational changes affecting the security of PHI.

7

 HHS Investigations Policy 160.103 CEs and BAs must implement policies & procedures to assure compliance with HHS investigation & recordkeeping requirements.

8

 Breach Notification Policy 164.400 to
164.414		 Requires CEs and BAs to comply with all Breach Notification requirements: risk analysis; determination of potential harm; notifications.

9

 Assign Privacy Official Policy 164.530(a) CEs and BA must assign an individual for all Privacy-related activities and compliance efforts; and to accept and process complaints.

10

 State Law Preemption Policy 160.201 to
160.205		 CEs and BAs must analyze and assess state law requirements related to data privacy & security; and HIPAA preemption impacts of state laws.

11

 HIPAA Training Policy 164.530(b) CEs and BAs must train all affected workforce members on their Policies & Procedures, as well as the basics of HIPAA, as needed.

12

 PHI Uses & Disclosures Policy 164.502 to
164.514		 CEs and BAs must establish methods and procedures to assure that all PHI uses & disclosures are in accord with HIPAA regs.

13

 Patient Rights Policy 164.520 to 164.528 CEs (and BAs optionally) must implement policies & procedures to assure the lawful provision of Patient Rights as called for in HIPAA regs.

14

 Complaints Policy 164.530(d)
164.530(a)		 CEs and BAs must establish methods and procedures to assure the proper handling of, and response to, all complaints received.

15

Risk Management
Process Policy
Required

 164.302
164.306		 Establishes the overall Risk Management process that CEs and BAs must implement to meet Privacy & Security Rule compliance requirements.

16

Risk Analysis
Required Standard

 164.308(a)(1) Conduct assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.

17

Risk Management
Required Standard

 164.308(a)(1) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Sec. 164.306(a).

18

Sanction Policy
Required Standard

 164.308(a)(1) Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

19

Information System
Activity Review
Required Standard

 164.308(a)(1) Implement procedures to regularly review information system activity: audit logs; access reports; and security incident reports; etc.

20

Assigned Security Responsibility
Required Standard

 164.308(a)(2) Assign security responsibility. Identify Security Official responsible for development and implementation of required P&Ps.

21

Authorization & Supervision Procedures
Addressable Standard

 164.308(a)(3) Implement procedures for authorization and/or supervision of workers who work with ePHI or in locations where it might be accessed.

22

Workforce Clearance Procedures
Addressable Standard

 164.308(a)(3) Implement procedures to determine that the access of a workforce member to ePHI is appropriate.

23

Termination Procedures
Addressable Standard

 164.308(a)(3) Implement procedures for terminating access to ePHI when the employment ends or as required by (a)(3)(ii)(B) of this section.

24

Access Authorization
Addressable Standard

 164.308(a)(4) Implement policies and procedures for granting access to ePHI, for workstations, transactions, programs, processes, or other mechanisms.

25

Access Establishment
and Modification
Addressable Standard

 164.308(a)(4) Implement P&Ps, based on Access Authorization policies, to establish, document, review, and modify user's rights of access to workstations, transactions, programs, or processes.

26

Security Reminders
Addressable Standard

 164.308(a)(5) Implement periodic reminders of security and information safety best practices.

27

Protection from
Malicious Software
Addressable Standard

 164.308(a)(5) Implement Procedures for guarding against, detecting, and reporting malicious software.

28

Log-in Monitoring
Addressable Standard

 164.308(a)(5) Implement Procedures for monitoring and reporting log-in attempts and discrepancies.

29

Password Management
Addressable Standard

 164.308(a)(5) Implement Procedures for creating, changing, and safeguarding appropriate passwords.

30

Security Incident Procedures
Required Standard

 164.308(a)(6) Identify and respond to suspected or known security incidents. Mitigate harmful effects. Document security incidents and their outcomes.

31

Data Backup Plan
Required Standard

 164.308(a)(7) Establish and implement procedures to create and maintain retrievable, exact copies of ePHI during unexpected negative events.

32

Disaster Recovery Plan
Required Standard

 164.308(a)(7) Establish (and implement as needed) procedures to restore any loss of data.

33

Emergency Mode
Operation Plan
Required Standard

 164.308(a)(7) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of ePHI while operating in emergency mode.

34

Testing and Revision Procedures
Addressable Standard

 164.308(a)(7) Implement procedures for periodic testing and revision of contingency and emergency plans.

35

Applications and Data
Criticality Analysis
Addressable Standard

 164.308(a)(7) Assess the relative criticality of specific applications and data in support of other contingency plan components.

36

Evaluation Policy
Required Standard

 164.308(a)(8) Perform periodic technical & nontechnical evaluations, to establish how well security P&Ps meet the requirements of this subpart.

37

Business Associate Contracts and Other Arrangements
Required Standard

 164.308(b)(1) CE’s must obtain, and BA’s must provide, written satisfactory assurances that all ePHI and PHI will be appropriately safeguarded.

38

Contingency Operations Procedures
Addressable Standard

 164.310(a)(1) Establish (and implement as needed) procedures that allow facility access to support restoration of lost data in the event of an emergency.

39

Facility Security Plan
Addressable Standard

 164.310(a)(1) Implement P&P’s to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

40

Access Control and
Validation Procedures
Addressable Standard

 164.310(a)(1) Implement procedures to control and validate individual access to facilities based on role or function; including visitor control, and access control for software testing and revision.

41

Maintenance Records
Addressable Standard

 164.310(a)(1) Implement P&Ps to document repairs and changes to physical elements of a facility related to security (hardware, walls, doors, locks, etc.).

42

Workstation Use
Required Standard

 164.310(b) Implement P&Ps that specify the proper functions, procedures, and appropriate environments of workstations that access ePHI.

43

Workstation Security
Required Standard

 164.310(c) Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.

44

Media Disposal & Disposition
Required Standard

 164.310(d)(1) Implement P&Ps to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored.

45

Media Re-use
Required Standard

 164.310(d)(1) Implement procedures for removal of ePHI from electronic media before the media are made available for re-use.

46

Hardware & Media
Accountability
Addressable Standard

 164.310(d)(1) Maintain records of the movements of hardware and electronic media, and any person responsible therefore.

47

Data Backup and Storage
Addressable Standard

 164.310(d)(1) The Data Backup Plan defines what data is essential for continuity after damage or destruction of data, hardware, or software. Risk Analysis determines what to backup.

48

Unique User Identification
Required Standard

 164.312(a)(1) Assign a unique name and/or number for identifying and tracking user identity.

49

Emergency Access Procedure
Required Standard

 164.312(a)(1) Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.

50

Automatic Logoff
Addressable Standard

 164.312(a)(1) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

51

Encryption and Decryption
Addressable Standard

 164.312(a)(1) Implement an appropriate mechanism to encrypt and decrypt ePHI.

52

Audit Controls
Required Standard

 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

53

Integrity Controls Policy
Addressable Standard

 164.312(c)(1) Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.

54

Person or Entity
Authentication
Required Standard

 164.312(d) Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.

55

Integrity Controls Procedures
Addressable Standard

 164.312(e)(1) Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.



Buy Now ]]> sales@hipaastore.com (HIPAA Group, Inc.) http://www.hipaastore.com/hipaa-policies-for-business-associates-p-25.html Mon, 18 Jan 2010 08:47:22 -0800 298.00 USD 25 1001 1 http://www.hipaastore.com/images/large/pnpLG_LRG.jpg