Acceptable Use Policy

Personnel

Acceptable Use

n/a

Access Rights

Technical Safeguards

Access Rights

n/a

Audit Controls; System Alerts

Technical Safeguards

Audit Controls

n/a

Authentication Controls

Technical Safeguards

Authentication Controls

• Update the Password Policy requirements to align with what your organization can and will uphold, without compromising on being security conscious

Business Associate Relationship

Risk Management

Business Associate Relationship

n/a

Comprehensive Information Security Plan

Personnel

Information Security Plan

• Designating the IT Director, IT Staff, Network Administrator, and Security Administrators
• Documenting multiple Definitions
• Policy Effective Date

Confidentiality Agreement

Personnel

Confidentiality Agreement

n/a

Data Backup and Storage

Physical Safeguards

Data Backup

n/a

Data Integrity

Data Management

Data Integrity

• List of Critical Systems

De-identification Policy

Technical Safeguards

De Identification

n/a

Device, Media, and Hardware Controls

Physical Safeguards

Device Medial Controls

n/a

Disaster Recovery

Security Incident

Disaster Recovery

• List Critical Services
• List Key Tasks
• Define SLAs
• List team members who should be notified during key Disaster Recovery Plan milestones
• Define key team member's Disaster Recovery Plan roles
• Set a Recovery Time Objective
• Write out your organization specific Disaster Recovery Plan steps

Documentation, Records Retention, and Documentation Destruction

Data Management

Documentation

n/a

Encryption

Technical Safeguards

Encryption

If Encryption tool was implemented:

• Document which tool and how it encrypts data

If Encryption tool was not implemented:

• Document why not

If Technology Company:

• Hosting PHI in the Cloud: document how your provider is encrypting data
• Hosting PHI locally: ensure data is encrypted and document how

Enforcement Sanctions

Security Incident

Enforcement Sanctions

n/a

Facility Access Controls

Physical Safeguards

Facility Access

Work from Office only...

• This policy should be updated to reflect the security measures that your organization has in place in the office, clinic, etc.

Any ability for team members to access work outside of the office...

• This policy should be updated to include a section that defines security measures for when people are accessing work outside of the office
  • Examples: cannot use public wifi, must use VPN, etc.

Incident Reporting Policy

Security Incident

Incident Reporting

n/a

Marketing and Fundraising

Personnel

Marketing Fundraising

n/a

Mitigation

Risk Management

Mitigation

n/a

Non-retaliation and Waiver

Personnel

Non Retaliation

n/a

Notification of Breach

Security Incident

Breach Notification

• Define a Breach Response Contact

Ongoing Risk Assessment

Risk Management

Risk Assessment

n/a

Personnel Designations

Personnel

Personnel Designations

• Enter the Privacy Officer and their phone number
• Note who can interface with PHI internally

Privacy Policy

Personnel

Privacy

• Update the Effective Date

Restricted Internal Access to PHI

Personnel

Restricted PHI Access

n/a

Sanctions Non Compliance

Personnel

Non Compliance Sanctions

n/a

Security Incident Response

Security Incident

Security Incident Response

n/a

Termination Procedures

Personnel

Termination Procedures

n/a

The Minimum Necessary Requirement

Personnel

Minimum Necessary Requirement

n/a

Transmission Security

Technical Safeguards

Transmission Security

n/a

Viruses and Malware; Application Updates

Technical Safeguards

Malware Policy

• Document which Anti-Malware System is in place (OS specific or third party)

Workstation Security

Physical Safeguards

Workstation Security

n/a

Acceptable Use Policy

Personnel

Acceptable Use

n/a

Access Rights

Technical Safeguards

Access Rights

• Assignment of User IDs

Audit Controls; System Alerts

Technical Safeguards

Audit Controls

• Setup Audit Logs for all Systems
• Set up Security Alerts
• Etc.

Authentication Controls

Technical Safeguards

Authentication Controls

• Update Password Policy

Business Associate Relationship

Risk Management

Business Associate Relationship

• Have signed BAAs in place for all BAs

Note: Accountable has BAA templates, supports e-signature collection, and BAA storage.

Comprehensive Information Security Plan

Personnel

Information Security Plan

n/a

Confidentiality Agreement

Personnel

Confidentiality Agreement

• Have signed Confidentiality Agreements (CA) in place for all team members

Note: Accountable has CA templates, supports e-signature collection, and CA storage.

Data Backup and Storage

Physical Safeguards

Data Backup

• Setup daily backups for Critical Systems

Note: “Critical System” means any Company System that regularly processes or stores (a) member information of any type (including ePHI); (b) sensitive employee information; or (c) sensitive business information.

Data Integrity

Data Management

Data Integrity

n/a

De-identification Policy

Technical Safeguards

De Identification

n/a

Device, Media, and Hardware Controls

Physical Safeguards

Device Medial Controls

• Document your Data Inventory

Note: Accountable supports Data Inventory Documentation

Disaster Recovery

Security Incident

Disaster Recovery

• Complete a bi-annual Continuity Plan rehearsal

Documentation, Records Retention, and Documentation Destruction

Data Management

Documentation

n/a

Encryption

Technical Safeguards

Encryption

• Decide if an Encryption solutions is appropriate
  • If not, document why not

For Technology Companies...

• Hosting PHI in the Cloud: document how your provider is encrypting data
• Hosting PHI locally: ensure data is encrypted and document how

Enforcement Sanctions

Security Incident

Enforcement Sanctions

n/a

Facility Access Controls

Physical Safeguards

Facility Access

n/a

Incident Reporting Policy

Security Incident

Incident Reporting

• Have all team members acknowledge How to Report an Incident 2x per year
• Test the Incident Reporting Procedure 2x per year
• Check for new Incident Reports at least 1x per month

Marketing and Fundraising

Personnel

Marketing Fundraising

n/a

Mitigation

Risk Management

Mitigation

n/a

Non-retaliation and Waiver

Personnel

Non Retaliation

n/a

Notification of Breach

Security Incident

Breach Notification

• Review this Policy annually and after each reported Incident
• Train all Team Members on What a HIPAA Incident is and How to Report Incidents

Note: Accountable's HIPAA Training course covers "What is a HIPAA Incident?"

Note: Accountable supports Incident Reporting and Training team members how to Report Incidents

Ongoing Risk Assessment

Risk Management

Risk Assessment

• Complete internal audits
• Meet 2x per year with your organization's key decision makers to discuss risks to security and PHI
  • Take and keep minutes of these meetings

Personnel Designations

Personnel

Personnel Designations

• Maintain a list of BAs

Note: Accountable supports listing your BAs

If your organization is a Covered Entity (CE)....

• All patients should sign an Notice of Privacy Practices (NPP)

Privacy Policy

Personnel

Privacy

n/a

Restricted Internal Access to PHI

Personnel

Restricted PHI Access

n/a

Sanctions Non Compliance

Personnel

Non Compliance Sanctions

n/a

Security Incident Response

Security Incident

Security Incident Response

• Develop your organization's Security Incident Response Plan

Termination Procedures

Personnel

Termination Procedures

• Update team member Offboarding Checklists

The Minimum Necessary Requirement

Personnel

Minimum Necessary Requirement

n/a

Transmission Security

Technical Safeguards

Transmission Security

n/a

Viruses and Malware; Application Updates

Technical Safeguards

Malware Policy

• Ensure Device Operating System (OS) updates happen in a timely manner
• Potentially, implement an Anti-Malware Application

Workstation Security

Physical Safeguards

Workstation Security

• Setup device Time-Out/Lock Settings to lock after 20 minutes