Policy & Procedure Editing & Next Steps Guide

🚧

Accountable's Policy and Procedure templates are general templates, some of which need updating to fit your company's unique context.

Policy & Procedure Editing Guide

Below are the minimum necessary updates required for our Policy & Procedure templates. Additional updates that are not explicitly defined below may be required, depending on your organization.

❗️

Please read all Policies & Procedures before publishing. Accountable's Policy & Procedure templates are general templates, and need updating to reflect your unique organization's setup and needs.

Policy or Procedure NameCategoryPolicy TypeEditing Required
Acceptable Use PolicyPersonnelAcceptable Usen/a
Access RightsTechnical SafeguardsAccess Rightsn/a
Audit Controls; System AlertsTechnical SafeguardsAudit Controlsn/a
Authentication ControlsTechnical SafeguardsAuthentication Controls
  • Update the Password Policy requirements to align with what your organization can and will uphold, without compromising on being security conscious
Business Associate RelationshipRisk ManagementBusiness Associate Relationshipn/a
Comprehensive Information Security PlanPersonnelInformation Security Plan
  • Designating the IT Director, IT Staff, Network Administrator, and Security Administrators
  • Documenting multiple Definitions
  • Policy Effective Date
Confidentiality AgreementPersonnelConfidentiality Agreementn/a
Data Backup and StoragePhysical SafeguardsData Backupn/a
Data IntegrityData ManagementData Integrity
  • List of Critical Systems
De-identification PolicyTechnical SafeguardsDe Identificationn/a
Device, Media, and Hardware ControlsPhysical SafeguardsDevice Medial Controlsn/a
Disaster RecoverySecurity IncidentDisaster Recovery
  • List Critical Services
  • List Key Tasks
  • Define SLAs
  • List team members who should be notified during key Disaster Recovery Plan milestones
  • Define key team member's Disaster Recovery Plan roles
  • Set a Recovery Time Objective
  • Write out your organization specific Disaster Recovery Plan steps
Documentation, Records Retention, and Documentation DestructionData ManagementDocumentationn/a
EncryptionTechnical SafeguardsEncryptionIf Encryption tool was implemented:
  • Document which tool and how it encrypts data
If Encryption tool was not implemented:
  • Document why not
If Technology Company:
  • Hosting PHI in the Cloud: document how your provider is encrypting data
  • Hosting PHI locally: ensure data is encrypted and document how
Enforcement SanctionsSecurity IncidentEnforcement Sanctionsn/a
Facility Access ControlsPhysical SafeguardsFacility AccessWork from Office only...
  • This policy should be updated to reflect the security measures that your organization has in place in the office, clinic, etc.
Any ability for team members to access work outside of the office...
  • This policy should be updated to include a section that defines security measures for when people are accessing work outside of the office
    • Examples: cannot use public wifi, must use VPN, etc.
Incident Reporting PolicySecurity IncidentIncident Reportingn/a
Marketing and FundraisingPersonnelMarketing Fundraisingn/a
MitigationRisk ManagementMitigationn/a
Non-retaliation and WaiverPersonnelNon Retaliationn/a
Notification of BreachSecurity IncidentBreach Notification
  • Define a Breach Response Contact
Ongoing Risk AssessmentRisk ManagementRisk Assessmentn/a
Personnel DesignationsPersonnelPersonnel Designations
  • Enter the Privacy Officer and their phone number
  • Note who can interface with PHI internally
Privacy PolicyPersonnelPrivacy
  • Update the Effective Date
Restricted Internal Access to PHIPersonnelRestricted PHI Accessn/a
Sanctions Non CompliancePersonnelNon Compliance Sanctionsn/a
Security Incident ResponseSecurity IncidentSecurity Incident Responsen/a
Termination ProceduresPersonnelTermination Proceduresn/a
The Minimum Necessary RequirementPersonnelMinimum Necessary Requirementn/a
Transmission SecurityTechnical SafeguardsTransmission Securityn/a
Viruses and Malware; Application UpdatesTechnical SafeguardsMalware Policy
  • Document which Anti-Malware System is in place (OS specific or third party)
Workstation SecurityPhysical SafeguardsWorkstation Securityn/a

Policy & Procedure Next Steps Guide

Below are the actions implied by or required to be in compliance with our out-of-the-box Policy & Procedure Templates. Additional action items that are not explicitly defined below may be required, depending on your Policy & Procedure updates and depending on your organization.

Policy or Procedure NameCategoryPolicy TypeAction Items
Acceptable Use PolicyPersonnelAcceptable Usen/a
Access RightsTechnical SafeguardsAccess Rights
  • Assignment of User IDs
Audit Controls; System AlertsTechnical SafeguardsAudit Controls
  • Setup Audit Logs for all Systems
  • Set up Security Alerts
  • Etc.
Authentication ControlsTechnical SafeguardsAuthentication Controls
  • Update Password Policy
Business Associate RelationshipRisk ManagementBusiness Associate Relationship
  • Have signed BAAs in place for all BAs
Note: Accountable has BAA templates, supports e-signature collection, and BAA storage.
Comprehensive Information Security PlanPersonnelInformation Security Plann/a
Confidentiality AgreementPersonnelConfidentiality Agreement
  • Have signed Confidentiality Agreements (CA) in place for all team members
Note: Accountable has CA templates, supports e-signature collection, and CA storage.
Data Backup and StoragePhysical SafeguardsData Backup
  • Setup daily backups for Critical Systems
Note: “Critical System” means any Company System that regularly processes or stores (a) member information of any type (including ePHI); (b) sensitive employee information; or (c) sensitive business information.
Data IntegrityData ManagementData Integrityn/a
De-identification PolicyTechnical SafeguardsDe Identificationn/a
Device, Media, and Hardware ControlsPhysical SafeguardsDevice Medial Controls
  • Document your Data Inventory
Note: Accountable supports Data Inventory Documentation
Disaster RecoverySecurity IncidentDisaster Recovery
  • Complete a bi-annual Continuity Plan rehearsal
Documentation, Records Retention, and Documentation DestructionData ManagementDocumentationn/a
EncryptionTechnical SafeguardsEncryption
  • Decide if an Encryption solutions is appropriate
    • If not, document why not
For Technology Companies...
  • Hosting PHI in the Cloud: document how your provider is encrypting data
  • Hosting PHI locally: ensure data is encrypted and document how
Enforcement SanctionsSecurity IncidentEnforcement Sanctionsn/a
Facility Access ControlsPhysical SafeguardsFacility Accessn/a
Incident Reporting PolicySecurity IncidentIncident Reporting
  • Have all team members acknowledge How to Report an Incident 2x per year
  • Test the Incident Reporting Procedure 2x per year
  • Check for new Incident Reports at least 1x per month
Marketing and FundraisingPersonnelMarketing Fundraisingn/a
MitigationRisk ManagementMitigationn/a
Non-retaliation and WaiverPersonnelNon Retaliationn/a
Notification of BreachSecurity IncidentBreach Notification
  • Review this Policy annually and after each reported Incident
  • Train all Team Members on What a HIPAA Incident is and How to Report Incidents
Note: Accountable's HIPAA Training course covers "What is a HIPAA Incident?"

Note: Accountable supports Incident Reporting and Training team members how to Report Incidents

Ongoing Risk AssessmentRisk ManagementRisk Assessment
  • Complete internal audits
  • Meet 2x per year with your organization's key decision makers to discuss risks to security and PHI
    • Take and keep minutes of these meetings
Personnel DesignationsPersonnelPersonnel Designations
  • Maintain a list of BAs
Note: Accountable supports listing your BAsIf your organization is a Covered Entity (CE)....
  • All patients should sign an Notice of Privacy Practices (NPP)
Privacy PolicyPersonnelPrivacyn/a
Restricted Internal Access to PHIPersonnelRestricted PHI Accessn/a
Sanctions Non CompliancePersonnelNon Compliance Sanctionsn/a
Security Incident ResponseSecurity IncidentSecurity Incident Response
  • Develop your organization's Security Incident Response Plan
Termination ProceduresPersonnelTermination Procedures
  • Update team member Offboarding Checklists
The Minimum Necessary RequirementPersonnelMinimum Necessary Requirementn/a
Transmission SecurityTechnical SafeguardsTransmission Securityn/a
Viruses and Malware; Application UpdatesTechnical SafeguardsMalware Policy
  • Ensure Device Operating System (OS) updates happen in a timely manner
  • Potentially, implement an Anti-Malware Application
Workstation SecurityPhysical SafeguardsWorkstation Security
  • Setup device Time-Out/Lock Settings to lock after 20 minutes


Did this page help you?