Most organizations took steps to comply with HIPAA Privacy and Security Rules when they were initially effective. However, every organization approached Privacy and Security compliance in a different manner. With the changes made by the HITECH Act and the final regulations in January of 2013, you need to revisit your compliance steps to ensure you meet all the new requirements. The final regulations made material changes to the breach reporting and investigation process. In addition, most business associate agreements will need to be updated as will Privacy Notices.
Since compliance is specific to each individual organization and how they handle information, this content is designed to cover all the nuts and bolts associated with HIPAA Privacy and Security compliance.
Start by downloading the Action Plan. The Action Plan is in a Word format and it makes sense to use it to walk through all the individual steps associated with compliance. It is also color-coded for steps that will be generally handled by HR and steps that will generally be handled by IT. Any new requirements or requirements that must be revisited as result of the final regulations will be in “red font”.
The remaining information is designed to provide help as your organization walks through the compliance steps:
- Samples includes all kinds of sample documents that will be helpful in complying with Privacy and Security.
- Guidance contains all the major pieces of guidance related to both HIPAA’s Privacy and Security Rules.
- Training contains general training you can use to help educate your health plan workforce about Privacy and Security.
- The Rules stresses the importance of documenting almost all aspects of compliance. It is a good practice to keep documentation as you walk through the compliance process.
When you complete the action plan, take a minute to complete the “HIPAA Privacy and Security Action Plan Checklist” to make sure your organization did not overlook any key compliance steps.
- Security Policy
- Complaint Form
- Use and Disclosure Procedures
- Breach Procedure Manual
- Business Associate Contract
- General Notice of Privacy Practices
- OCR Model Notice of Privacy Practices – Booklet Format
- OCR Model Notice of Privacy Practices – Full Page Format
- OCR Model Notice of Privacy Practices – Health Plan Text Version
- OCR Model Notice of Privacy Practices – Layered Format
- Firewall Document
- OCR Privacy Complaint Form
- Security Risk Analysis
- Authorization Form
- Privacy Officer Job Description
- Employee Certification Training Acknowledgement
- 2013 HIPAA’s Final Rules – Privacy and Security
- 2009 HITECH Act (as part of ARRA)
- 2009 Breach Reporting Guidance
- HIPAA’s Privacy and Security Rules 2015
- NIST SP 800-52 Computer Security
- NIST SP 800-77 Guide to IPsec VPNs
- NIST SP 800-88 Guidelines for Media Sanitization
- NIST SP 800-111 Data at Rest Encryption
- NIST SP 800-113 Guide to SSL VPNs