Partnership
Aris offers Security Risk Analyses for HIPAA Audits. We also provide all your HIPAA Policies, Procedures, Documentation, and Training.
HIPAA Privacy & Security Rule Policies, Procedures, and Documentation
What is really required under HIPAA?
Most organizations think they have what is required under HIPAA already in place. HIPAA has changed over the years and if you have not kept up, you may be missing some critical documents. The only thing worse that not having HIPAA policies and procedures in place, is never taking the plastic wrap off the binder or your employees do not follow your policies and procedures!
Here are some examples of a few common missing policies and procedures:
- Risk Analysis Policy
- Risk Management Policy
- Sanction Policy
- Security Incident Policy
- Evaluation Policy
- Workstation Use Policy
- Audit Controls Policy
Here are some common missing forms and documents:
- Information System Activity Review Reports
- Workforce Clearance Form
- Workforce Termination Form
- HIPAA Training Logs/Certificates
- Breach Notification Procedures
- Business Associate Agreements
- Device and Media Disposal Forms
Aris’ 7 Simple-Steps to HIPAA Compliance system is complete with the Privacy and Security rule policies and procedures. Also included are forms required for patient and HIPAA documentation. Even if you do not need all the policies and forms immediately, you will have them when the need arises. All policies and procedures are written in easy-to-understand language, so employees know what is required of them and what to do in each situation. Our business associate agreement outlines in plain language what is required under HIPAA for them as well. This allows them to make sure they understand how to protect patient data and adhere to HIPAA.
The only thing worse that not having HIPAA policies and procedures in place, is never taking the plastic wrap off the binder or your employees do not follow your policies and procedures!
Click on each section below to view the policies, procedures, and documents required under HIPAA.
HIPAA Security policies, procedures, and documentation:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Organizational Requirements
- Policies and Procedures and Documentation Requirements
HIPAA Security policies, procedures, and documentation:
Administrative Safeguards
Security management process 45 CFR § 164.308(a)(1)(i)
Risk analysis policy 45 CFR § 164.308(a)(1)(ii)(A)
Risk management policy and risk management plan 45 CFR § 164.308(a)(1)(ii)(B)
Sanction policy 45 CFR § 164.308(a)(1)(ii)(c)
Information system activity review policy and audit log tracking form 45 CFR § 164.308(a)(1)(ii)(D)
Assigned security responsibility policy 45 CFR § 164.308(a)(2)
HIPAA privacy and security officer assignment agreement 45 CFR § 164.308(a)(2)
Workforce Security 45 CFR § 164.308(a)(3)(i)
Authorization and/or supervision policy, 45 CFR § 164.308(a)(3)(ii)(A)
Workforce (employee) clearance policy and checklist form 45 CFR § 164.308(a)(3)(ii)(B)
Workforce (employee) termination policy and checklist form 45 CFR § 164.308(a)(3)(ii)(C)
Information access management 45 CFR § 164.308(a)(4)(i)
Isolating health care clearinghouse functions 45 CFR § 164.308(a)(4)(ii)(A)
Access authorization 45 CFR § 164.308(a)(4)(ii)(B)
Access establishment and modifications 45 CFR § 164.308(a)(4)(ii)(C)
Security awareness and training (HIPAA training) policy 45 CFR § 164.308(a)(5)(i)
Security Reminders 45 CFR § 164.308(a)(5)(ii)(A)
Protection from malicious code 45 CFR § 164.308(a)(5)(ii)(B)
Log-in monitoring policy 45 CFR § 164.308(a)(5)(ii)(C)
Password management policy and password form 45 CFR § 164.308(a)(5)(ii)(D)
Security incident procedures policy and report form 45 CFR § 164.308(a)(6)(i)
Response and reporting policy and a breach notification plan 45 CFR § 164.308(a)(6)(ii)
Contingency plan policy and template 45 CFR § 164.308(a)(7)(i)
Data backup plan policy 45 CFR § 164.308(a)(7)(ii)(A)
Disaster recovery plan policy 45 CFR § 164.308(a)(7)(ii)(B)
Emergency mode operations plan policy 45 CFR § 164.308(a)(7)(ii)(C)
Testing and revision procedures policy 45 CFR § 164.308(a)(7)(ii)(D)
Applications and data criticality analysis policy 45 CFR § 164.308(a)(7)(ii)(E)
Evaluation policy 45 CFR § 164.308(a)(8)
Business associate contracts policy 45 CFR § 164.308(b)(1), 45 CFR § 164.314(a)(1), 45 CFR § 164.314(a)(2)(i).
Written contract or other arrangements policy 45 CFR § 164.308(b)(4)
Physical Safeguards
Facility access controls 45 CFR § 164.310(a)(1)
Contingency Operations policy, 45 CFR § 164.310(a)(2)(i)
Facility security plan policy 45 CFR § 164.310(a)(2)(ii)
Access control and validation procedures policy 45 CFR § 164.310(a)(2)(iii)
Maintenance records policy 45 CFR § 164.310(a)(2)(iv)
Workstation use policy and confidentiality and acceptable use agreement 45 CFR § 164.310(b)
Workstation security and inventory list 45 CFR § 164.310(c)
Device and media controls 45 CFR § 164.310(d)(1)
Disposal policy and form 45 CFR § 164.310(d)(2)(i)
Media re-use policy and form 45 CFR § 164.310(d)(2)(ii)
Accountability policy 45 CFR § 164.310(d)(2)(iii)
Data backup and storage policy 45 CFR § 164.310(d)(2)(iv)
Technical Safeguards
Access control policy 45 CFR § 164.312(a)(1)
Unique user identification policy 45 CFR § 164.312(a)(2)(i)
Emergency access procedure policy 45 CFR § 164.312(a)(2)(ii)
Automatic logoff policy 45 CFR § 164.312(a)(2)(iii)
Encryption and decryption policy 45 CFR § 164.312(a)(2)(iv)
Audit controls policy 45 CFR § 164.312(b)
Integrity policy 45 CFR § 164.312(c)(1)
Mechanism to authenticate electronic protected health information (ePHI) policy 45 CFR § 164.312(c)(2)
Person or entity authentication policy § 164.312(d)
Transmission security 45 CFR § 164.312(e)(1)
Integrity controls policy 45 CFR § 164.312(e)(2)(i)
Encryption policy 45 CFR § 164.312(e)(2)(ii)
Organizational Requirements
Business Associate Contracts (included under Administrative Safeguards 45 CFR § 164.308(b)(1), 45 CFR § 164.314(a)(1), 45 CFR § 164.314(a)(2)(i)
Other arrangements 45 CFR § 164.314(a)(2)(ii)
Requirements for group health plan policy 45 CFR § 164.312(b)(1), 45 CFR § 164.312(b)(2),
Policies and Procedures and Documentation Requirements
Policies and procedures policy 45 CFR § 164.316(a)
Documentation 45 CFR § 164.316(b)(1)
Time limit policy 45 CFR § 164.316(b)(2)(i)
Availability policy 45 CFR § 164.316(b)(2)(ii)
Updates policy 45 CFR § 164.316(b)(2)(iii)
HIPAA Privacy Policies, Procedures, and Documentation
Assignment of a Privacy Official 45 CFR § 164.530
Designated Record Set policy 45 CFR § 164.524
Notice of privacy policy and form for office and website 45 CFR § 164.520
Confidential communications policy 45 CFR § 164.522(b)
Minimum necessary standard policy 45 CFR § 164.502(b)
Uses and disclosures to carry out treatment, payment, or health care operations 45 CFR § 164.506
Patient rights and requests: Authorization to release protected health information (PHI) policy and release form 45 CFR § 164.508
Patient right to access protected health information (PHI) policy 45 CFR § 164.524
Patient right to amend their protected health information (PHI) policy and form 45 CFR § 164.526
Patient right to restriction access to protected health information (PHI) policy 45 CFR § 164.522(a)
Patient right not to disclosure PHI form (this may be used when a patient has paid for services in full out of pocket and does not permit their insurance to be notified) 45 CFR § 164.522(a)(1)(vi)
Patient request for accounting of disclosures policy and request form 45 CFR § 164.528
Patient complaint policy and form 45 CFR § 160.306
Personal representative designation policy and form 45 CFR § 164.502(g)
Verification of identity of person requesting protected health information (PHI) 45 CFR § 164.514(h)
Uses and disclosures for research policy 45 CFR § 164.532
De identification and limited data set policy 45 CFR § 164.514
Uses and disclosures for marketing policy 45 CFR § 164.508
Uses and disclosures for fundraising policy 45 CFR § 164.514(f)
Click here to learn more how we can work together and get HIPAA compliant