1. Acceptable Use Policy
This policy provides users with network access in order to efficiently complete their assigned job function. The user must be held fully accountable for the acceptable use of the company’s network and systems. Organizational resources are to be utilized for business purposes. Taking this into consideration, some actions are strictly prohibited under this policy as they put the company and ePHI at risk.
2. Password Policy
Passwords aid in keeping PHI confidential. A solid password policy is a priority among a company’s security controls. The user is held accountable for maintaining and securing passwords that protect against threats to the company network and systems.
3. Confidential Data Policy
This policy covers data destruction efforts, retiring computer devices and storage devices properly. It also covers securing data appropriate areas and computer and media reuse.
4. Mobile Device Policy
This policy lays out the ways that portable device use is requested, used and retired when finished to insure property security protections are in place when computing devices are used outside of the traditional network area.
5. Backup Policy
The Backup Policy is used to formalize the process of security backup copies of all critical PHI data to ensure that a proper recovery point is established for the business to insure adequate protection and business recovery.
6. Network Access and Authentication Policy
An appropriate Network Access and Authentication Policy reduces the risk of a security incident by requiring consistent application of authentication and access standards across the network
7. Workforce Security Policy
The objective of this policy is to ensure that proper authorization has been provided to all staff members who have access to ePHI, as well as aid the user in obtaining/providing the necessary consent for access.
8. Incident Response Policy
The objective of this policy is to advise the user of the appropriate actions to take in the event of a security incident or privacy breach.
9. Sanctions Policy
The objective of this policy is to advise the user of the appropriate actions to take in the event of a security incident or privacy breach.
10. IT Systems and Network Operations Policy
- 164.312(d) Person or Entity Authentication
- 164.308(a) (7) Data Backup Plan
- 164.308(a) (5) (ii) (A) Security Awareness and Training
- 164.308(a) (5) (ii) (B) Protection from Malicious Software
- 164.308(a) (5) (ii) (C) Log-in Monitoring
- 164.312(b) Audit Controls
- 164.312(c) (2) Mechanism to Authenticate Electronic Protected Health Information
- 164.312(e) (2) (i) Integrity Controls
This policy is to protect information assets, client data and reputation while providing secure and reliable services by implementing and managing physical and technical safeguards on all critical systems.
11. Physical Security Policy
The objective of this policy is to identify and alleviate physical threats to the facility itself and the ePHI that it contains by setting standards for secure operations.
12. Contingency Plan Policy
- 164.308(a) (7) (i) Contingency Plan
- 164.308(a) (7) (ii) (A) Data Backup Plan
- 164.308(a) (7) (ii) (B) Disaster Recovery Plan
- 164.308(a) (7) (ii) (C) Emergency Mode Operation Plan
- 164.310(a) (2) (i) Contingency Plan Operations
- 164.310(a) (2) (ii) Facility Security Plan
- 164.310(a) (2) (iv) Maintenance Records
This policy addresses the steps necessary to enable recovery of critical IT systems, operations, and data after a disruption by developing coordinated plans, procedures, and other technical measures in advance of such a disruptive event.
13. Data Encryption Policy
This policy should detail how the organization has implemented a commercially acceptable level of encryption for all ePHI in its possession both at rest and in motion to, from and within the organization whenever technically feasible.
14. Risk Analysis Policy
The objective of this policy is to make the user aware of the steps that are taken to manage, and make informed decisions when assessing risks within the organization. Additionally, the policy should establish the responsibility to properly maintain policies and procedures that prevent risks.
15. Notice of Privacy Practices Policy
This policy provides patients with a clear and concise explanation of their rights and our usage with respect to PHI. This clarification is provided via the Notice of Privacy Practice Document which should be posted for patients to easily see.
16. Uses and Disclosures General Rules Policy
This policy is intended to provide the user with the general rules for using and disclosing PHI.
17. Uses and Disclosures for Treatment, Payment and Health Care Operations Policy
The objective of this policy is to provide workforce members information regarding when it is necessary and permissible to disclose protected health information. Any use or disclosure for treatment must also be consistent with the Notice of Privacy Practices.
18. Uses and Disclosures Requiring the Opportunity for the Individual to Agree or Object Policy
The objective of this policy is to make workforce members aware of what involvement with the patient is appropriate when disclosing a patient’s status or condition, as well as the patient rights to object such disclosure.
19. Uses and Disclosures for PHI that Require Authorization
This policy provides staff members with details of when the uses and disclosure of PHI require an authorization from the owner of the information.
20. Uses and Disclosures Organizational/ Business Associate Policy
This policy makes the user aware of the responsibility of the Business Associate and the information to be included in the agreement as well as provisions for Group Plan changes.
21. Uses and Disclosures for which the Opportunity to Agree or Object is Not Required Policy
This policy is to make staff members aware of the permitted uses when disclosing PHI that does not require authorization, as required by the law.
22. Other Requirements for Use and Disclosure of PHI Policy
This policy provides staff members with a process of detecting, de-identifying, and limiting PHI to the minimum necessary for the purposes of the request for PHI.
23. Access of Individuals to PHI Policy
This policy provides staff members with information regarding when it is permissible to provide the individual with access to PHI, in addition to the method in which access to PHI may be provided.
24. Accounting for Disclosures Policy
This policy is intended to advise the user under which circumstances an accounting of disclosures may be provided to the individual effected (ie. the patient).
25. Amendment of PHI Policy
The objective of this policy is to provide the cases in which an amendment request will not be honored, as well as the steps that the user would take in appropriately approving or denying the request.
26. Transition Provisions Policy
This policy defines for staff members when it is permissible to provide PHI for research.
27. Administrative Requirements Policy
In order to oversee the administrative requirements, this policy identifies the Privacy Officer and his/her responsibilities for the organization. The PO is the first point of contact for privacy concerns, and other privacy matters that may affect usual business operations. It also defines the organizational training program requirements.
28. Rights to Request Protection of PHI
The objective of this policy is to advise the patient of their rights to request that the use and disclosure of PHI is restricted.
29. Business Associate Policy
This policy explains the roles of a Business Associate, and what measures need to be taken in order to protect confidential data such as ePHI. In order to ensure that the business associate maintains a level of security with regard to ePHI, a Business Associate Agreement is required to be completed.