In this post we are going to talk about Organizational, Policies and Procedures and Documentation Requirements. This post is the Fifth post in the HIPAA series. This series of posts is called the HIPAA Series.

The series will contain seven post:

  1. Security 101 for Covered Entities
  2. Security Standards: Administrative Safeguards
  3. Security Standards: Physical Safeguards
  4. Security Standards: technical Safeguards
  5. Security Standards- Organizational, Policies and Procedures and Documentation Requirements
  6. Basics of Risk Analysis and Risk Management
  7. Implementation for the Small Provider

But this series also has two spin offs. We suggest that if you do not have basic information about HIPAA, before starting this series, first read the following two posts:

Note, In across of this post:
(R)= Required, (A)= Addressable

—————————–

Source:

This article is a summary from of the hhs.gov website. With the following link:

Security Standards: Organizational, Policies and Procedures and Documentation Requirements

For more info please refer to hhs.gov

 

 

Organizational, Policies and Procedures and Documentation Requirements

The objective of this post is reviewing each Organizational Requirements and Policies and Procedures and Documentation Requirements standard and implementation specification listed in the Security Rule.

This topic includes four standards, all of which we will discuss. These standards include:

ITperfection, HIPPA, Security rule,organizational policies, standards

 

 

Business Associate Contracts or Other Arrangements – STANDARD§ 164.314(a) (1) 

This standard provides the specific criteria required for written contracts or other arrangements between a covered entity and its business associates. In general, a business associate is a person or entity other than a member of the covered entity’s workforce that performs functions or activities on the covered entity’s behalf, or provides specified services to the covered entity, that involve the use or disclosure of protected health information. A business associate may also be a covered entity.

For example, a health care clearinghouse may be a business associate and is also a covered entity under HIPAA. A software vendor may be a business associate as well; however, it is not, in that capacity, a covered entity. In both cases, the organizations could perform certain functions, activities or services on behalf of the covered entity and would therefore be business associates.

ITperfection, HIPAA, Security rule, organizational and policies, Business Associate Contracts or Other Arrangements

 

Business Associate Contracts (R)

The Business Associate Contracts implementation specifications state that a business associate contract must provide that the business associate will:

  • Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity…;
  • Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;
  • Report to the covered entity any security incident of which it becomes aware;
  • Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

 

Other Arrangements (R)

This section provide that when a covered entity and its business associate are both government entities, the covered entity may comply with the standard in either of two alternative ways:

  1. If it enters into a memorandum of understanding (MOU) with the business associate and the MOU contains terms which accomplish the objectives of the Business Associate Contracts section of the Security Rule; or
  2. If other law contain requirements applicable to the business associate that accomplish the objectives of the business associate contract. If statutory obligations of the covered entity or its business associate do not permit the covered entity to include in its other arrangements authorization of the termination of the contract by the covered entity, the termination authorization may be omitted.

 

 

Requirements for Group Health Plans – STANDARD § 164.314(b) (1) 

This standard requires a group health plan to ensure that its plan documents require the plan sponsor to reasonably and appropriately safeguard EPHI that it creates, receives, maintains or transmits on behalf of the group health plan.

 

Implementation Specifications 

The health plan has access to EPHI beyond summary information and enrollment information or to EPHI other than that which has been authorized under § 164.508, the plan documents must contain language similar to that already required by the Privacy Rule.

  1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
  2. Ensure that the adequate separation required by § 164.504(f)(2)(iii) [of the Privacy Rule] is supported by reasonable and appropriate security measures;
  3. Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
  4. Report to the group health plan any security incident of which it becomes aware.

 

 

Policies and Procedures – STANDARD§ 164.316(a) 

This standard requires that covered entities: “Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach]. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.”

While this standard requires covered entities to implement policies and procedures, the Security Rule does not define either “policy” or “procedure.”

  • Policies define an organization’s approach.
  • Procedures describe how the organization carries out that approach, setting forth explicit, step-by-step instructions that implement the organization’s policies.

The Policies and Procedures standard is further explained and supported by the Documentation standard.

 

 

Documentation – STANDARD§ 164.316(b) (1) 

The Documentation standard requires covered entities to:

  1. Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and
  2. If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

Documentation

 

Time Limit (R)

The Time Limit implementation specification requires covered entities to:  “Retain the documentation required of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.”

This six-year period must be considered the minimum retention period for required documentation under the Security Rule.

 

Availability (R)

The Availability implementation specification requires covered entities to: “Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.”

Organizations often make documentation available in printed manuals and/or on Intranet websites.

 

Updates (R)

The Updates implementation specification requires covered entities to: “Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.”

The need for review and update will vary based on a covered entity’s documentation review frequency and/or the volume of environmental or operational changes that affect the security of EPHI.

 

 

 

—————————–

Source:

This article is a summary from of the hhs.gov website. With the following link:

Security Standards: Organizational, Policies and Procedures and Documentation Requirements

For more info please refer to hhs.gov