HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Transcription

1 Develop "minimum necessary" policies for: HIPAA PRIVACY RULE Uses 15 Exempts disclosure for the purpose of treatment from the minimum necessary standard. Page references for - Routine disclosures 17 Exempts information that is required to comply with the electronic transaction standards from the above: minimum necessary standard : 15, 17, 19, 27, 30, 37, 38, 39, : 2, 3, 15, 16, 19, 24, 25 - Non-routine disclosures 19 Generally, covered entities are required reasonably to limit the protected health information disclosed for public health purposes to the minimum amount necessary to accomplish the public health purpose. However, covered entities are not required to make a minimum necessary determination for public health disclosures that are made pursuant to an individual s authorization, or for disclosures that are required by other law. See 45 CFR (b). For disclosures to a public health authority, covered entities may reasonably rely on a minimum necessary determination made by the public health authority in requesting the protected health information. See 45 CFR (d)(3)(iii)(A). For routine and recurring public health disclosures, covered entities may develop standard protocols, as part of their minimum necessary policies and procedures, that address the types and amount of protected health information that may be disclosed for such purposes. See 45 CFR (d)(3)(i). - Limit request to minimum necessary 16 Staff must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose by, to the extent possible, limiting use/disclosure to limited data set for which the request is made. For all other requests, staff must review the request on an individual basis to determine that the protected health information sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made. Staff may not use, discloses or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. - Ability to rely on request for minimum necessary 65 Form PF-4000 Tracking of Request for Access, Amend or Disclosure of PHI Version Date: 10/24/2013 1/18

2 Page 9 Develop polices for business associate (BA) relationships and 9 Written contracts or agreements must be negotiated between a medical practice and any business associate that will handle protected health information it receives from or creates for the practice. A business associate that creates, receives, maintains, or transmits PHI or electronic PHI for the medical practice must provide satisfactory assurances that it will appropriately safeguard the information. These assurances must be included in a written contract or other arrangement with the business associate. This contract or agreement must include provisions that: Page references for amend business associate contracts or above: agreements: 9, 10, 11 9 See above. - Obtain satisfactory assurances in contract 9 Satisfactory Assurances (see above) (see above) (See above) - Document sanctions for non-compliance Limit disclosures to those that are authorized by the client, or that are required or allowed by the privacy regulations and state law 11 The business associate should be notified by the practice s legal counsel that action will be taken to terminate the contract if the violation of contract provisions is not immediately corrected. Includes "The information to be maintained includes:... Records of actions taken to enforce compliance with contract provisions by business associates." 4 Obtaining authorization, when required, for use and disclosure of protected information (see Forms PF Notice of Privacy Practices and PF-3000 Authorization For Use and/or Disclosure of Protected Health Information) Referenced on pages listed in Column A (14, 16, 18 The policies in this section address the disclosure of protected health information to various (27, 30, government entities. In general, disclosure to government entities is mandated by law and (27, 40) does not require the consent or advance authorization of the patient (18, 19, Version Date: 10/24/2013 2/18

3 (15, 17, 27, 49, 41, 53) Develop and disseminate notice of privacy practice. 27 P-3000 Notice and Authorization The policies in this section establish procedures for developing the Notice of Privacy Practices form and obtaining patient authorization for use and disclosure of protected health information (34, 35, 36, 37) Develop policies for alternative means of communication requests 4 Providing the Notice of Privacy Practices to all patients and obtaining a written acknowledgment of receipt Form PF-1000 NOTICE OF PRIVACY PRACTICES 36 The patient should be informed that his or her request will be accommodated if he or she provides an alternative means of making confidential communications (40, 41, 42, 43, 44, ) Develop policies for access to designated record sets: 66 See Form PF-5000 Authorization To Communicate Patient's Medical Information 40 A patient or a patient s representative may, subject to approval under policy P-5120, inspect and obtain a copy of his or her information maintained in medical records or other information systems of ProHealth Partners (40, 45, 46, 47, 48, 49) 44, 45 The designated record sets for which a patient may request amendment include: - Providing access The patient s medical records - Denying access The patient s billing records Other records that contain protected health information that is used to direct treatment Develop policies for amendment requests: 45 See pages 45 through 49 for Policies for amendment requests - Accepting an amendment - Denying an amendment - Actions on notice of an amendment - Documentation Version Date: 10/24/2013 3/18

4 Develop policies for accounting of disclosures. 49, 50, 51 Any disclosure, other than a disclosure covered by the patient s consent to the use and disclosure for purposes of treatment, payment, or health care operations, will be documented by completing a disclosure accounting form. See pages 49, 50, 51, Implementation of Privacy Rule Administrative requirements, including: 65 See Form PF-4000 Tracking of Request for Access, Amend or Disclosure of PHI 2 Establishes requirements for administrative measures to implement the policy standards. Privacy Officer is responsible for the development and implementation of policies and procedures to safeguard the privacy of patients health information consistent with federal and state laws and regulations See pages 2, 4, 5, 6, 7, 8, 13, 54, 55, 56 - Appoint of a HIP AA privacy officer. 2 Privacy Officer is responsible for the development and implementation of policies and procedures to safeguard the privacy of patients health information consistent with federal and state laws and regulations. - Training of workforce 3 This section establishes the responsibility for the development and updating of staff training programs and materials on privacy policies and procedures. It also establishes the responsibility of all staff members to complete privacy training. - Sanctions for non-compliance 5 P-1300 Staff Compliance and Sanctions - The policies in this section of the privacy manual establish disciplinary procedures for employees whose actions are out of compliance with ProHealth Partners privacy policies and procedures. - Develop compliance policies. 2 The policies in this section establish the organizational responsibility for compliance with the privacy standards and for overseeing the efforts of ProHealth Partners to safeguard the privacy of patient information. - Develop anti-retaliation policies. 8 No action shall be taken against a staff member who reports violation of privacy standards to the secretary of HHS or to law enforcement agencies. - Policies and Procedures 2 The policies in this section (P-1000) of the ProHealth Partners policy and procedure manual establish the medical practice s administrative policies and procedures for safeguarding the privacy of protected health information. Version Date: 10/24/2013 4/18

5 Security Management Process: Implement policies and procedures to prevent, detect, contain, and correct security violations (a)(1)(i) See page (a)(I )(ii)(a) Has a Risk Analysis been completed in accordance with NIST Guidelines? (Required) HIPAA SECURITY RULE - Administrative Safeguards R = Required, A = Addressable 102 The Privacy Officer will act as the security official who will implement policies and procedures to assess, analyze, prevent, detect, contain, and correct security violations. Conduct an accurate and thorough risk analysis assessment in accordance with NIST Guidelines of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). See page (a)(I )(ii)(b) Has the Risk Management process been 103 completed in accordance with NIST Guidelines? (R) Page 103 The Privacy Officer implements a comprehensive risk-management program based on the results of the risk analysis. The risk-management program includes the security measures identified by the risk analysis. Risk analysis will be done every three years or as necessary. The purpose of these security measures is to reduce risks and vulnerabilities to a reasonable and appropriate level (a)(I )(ii)(c) Page 103 Do you have formal sanctions against employees who fail to comply with security policies and procedures? (R) 104 Employees and other members of the medical practice s workforce are subject to sanctions for violating the medical practice's security policies and procedures. Violations of security measures and the penalties associated with them include the following. S-1470 Minor Security Breaches, S-1480 Significant Security Breaches, S-1490 Severe Security Breaches See Sanction and examples on page 95 for each type of violation (a)(I )(ii)(d) Have you implemented procedures to 98 regularly review records of IS activity such as audit logs, access reports, and security incident tracking? (R) Page 98 The security official regularly reviews records of information system activity, such as audit logs, access reports, and security incident tracking reports and ensures that any breaches in security have been corrected. Version Date: 10/24/2013 5/18

6 (a)(2) Page 87 Assigned Security Responsibility: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. (R) 87 The Privacy Officer will serve as the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. The Privacy Officer will oversee a team of security officials including but not limited to officers assigned from the following departments: Information Technology (IT), Systems Management, Systems Support, EMR Specialists (a)(3)(i) Page 80 Workforce Security: Implemeut policies aud procedures to ensure that all members of its workforce have appropriate access to EPHI, as provided under paragraph (a)(4) ofthis section, and to prevent those workforce members who do not have access under paragraph (a)(4) ofthis section from obtaining access to electronic protected health information (EPHI) (a)(3)(ii)(A) Have you implemented procedures for the Page 80 authorization and/or supervision of employees who work with EPHI or in locations where it might be accessed? (A) 80 The security official will implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed (a)(3)(ii)(B) Page 80 Have you implemented procedures to determine that the access of an employee to EPHI is appropriate? (A) 80 The Security official will implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate (a)(3)(ii)(C) Page 80, 107 Have you implemented procedures for terminating access to EPHI when an employee leaves your organization? (A) 80, 107 (80) The security official will implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(b) of this section. (107)The security official should be notified of the effective date of any employee termination or of the date on which a staff member s authorization to use the medical practice's information resources will terminate. The staff member's user account on the medical practice's information system will be disabled or deleted upon termination of the relationship with the medical practice. Version Date: 10/24/2013 6/18

7 (a)(4)(i) Page (a)(4 ) (ii)(a)not Applicable Information Access Management: Implement policies and procedures for authorizing access to EPHI that are consistent with the applicable requirements of subpart E of this part. If you are a clearinghouse that is part of a larger organization, have you implemented policies and procedures to protect EPHI Not Applicable (a)(4)(ii)(B) Page 81 from the larger organization? (A) Have you implemented policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, or process? (A) 81 Security Official will implement policies and procedures that, based upon the medical practice s access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process (a)(4)(ii)(C) Page 81 Have you implemented policies and procedures that are based upon your access authorization policies to establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process? (A) 81 Security official will implement and manage the creation and modification of access privileges to workstations, transactions, programs or processes and be responsible for terminating access privileges for workforce members. All additions and changes will be documented and reviewed for validity Version Date: 10/24/2013 7/18

8 (a)(5)(i) Page (a)(5)(ii)(A) Do you provide periodic information security reminders? (A) Page 106 Security Awareness and Training: Implement a security awareness and training program for all members of its workforce (including management). 107 The medical practice publishes periodic notices and security updates to maintain awareness of security procedures and sound security practices. Notices are prepared whenever significant new security threats are identified, whenever security features of computer hardware and software are revised or updated, and whenever the security official believes that a security incident warrants calling the attention of staff members to security policies and procedures (a)(5)(ii) (B) Do you have policies and procedures for guarding against, detecting, and reporting 101 malicious software? (A) Page 101 Anti-virus software is installed on all computer workstations and servers to protect the medical practice and its information from attack by malicious software such as computer viruses, worms, and Trojan horses. Procedure The security official is responsible for ensuring that anti-virus software has been installed on all workstations and on network servers. The security official also ensures that anti-virus software is regularly updated (a)(5)(ii)(C) Do you have procedures for monitoring login attempts and reporting discrepancies? (A) Page (a)(5)(ii)(D) Do you have procedures for creating, changing, and safeguarding passwords? (A) Page The security official reviews log-in monitoring records and investigates patterns that suggest the possibility of security breaches or attempted penetration of security measures by unauthorized users. All users must select a password conforming to the following guidelines: * Passwords should be between six and 10 characters. * Passwords should not be the name of a pet, spouse, child, or parent. * Passwords should be a word or sequence of letters and numbers that the user can remember but could not be easily guessed by even a close friend of the user. * Passwords should never be written down. * Passwords should never be given to other staff members. * A new password should be selected every six months, and current or previous passwords should not be re-used. Version Date: 10/24/2013 8/18

9 (a)(6)(i) Page (a)(6)(ii) Do you have procedures to identify and 105 Page 105 respond to suspected or known security incidents; mitigate to the extent practicable, harmful effects of known security incidents; and document incidents and their outcomes? (Required) Security Incident Procedures: Implement policies and procedures to address security incidents. The Security Official will develop, implement and update as needed, procedures to identify and respond to suspected or known security incidents; mitigate to the extent practicable, harmful effects of known security incidents; and document incidents and their outcome. Security incidents are to be reported promptly to the security official. Incidents should be reported by the staff members responsible for the incident or staff members who identify the incident (a)(7)(i) Page 90 Contingency Plan: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain EPHI (a)(7)(ii)(A) Have you established and implemented procedures to create and maintain retrievable exact copies of EPHI? Page (a)(7)(ii)(B) Have you established (and implemented as needed) procedures to restore any loss of EPHI data that is stored electronically? Page 90 91, (a)(7)(ii)(C) Have you established (and implemented as 95 needed) procedures to enable continuation of critical business processes and for protection Page 95 of EPHI while operating in the emergency mode? 93 (91) The security official will develop and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (92) Detailed back-up procedures are documented in the medical practice's contingency plan. These procedures create an exact copy of PHI at a given point in time. Technical staff members responsible for preparing back-up data sets test the back-up copies to ensure that they: * Contain an exact copy of the information they back up * Can be restored when needed The security official determines when a back-up data set should be used to re-create or restore lost data. The security official develops detailed emergency-mode operating procedures as part of the comprehensive contingency plan. These procedures safeguard the medical practice's information resources and PHI during emergencies that disrupt normal security measures. Version Date: 10/24/2013 9/18

10 (a)(7)(ii)(D) Have you implemented procedures for 107 periodic testing and revision of contingency plans? (A) Page (a)(7)(ii)(E) Have you assessed the relative criticality of 86 specific applications and data in support of Page 86 other contingency plan components? (A) Contingency plans are to be reviewed with staff members, tested, evaluated, and revised as necessary at least once every 12 months. As part of the development of a comprehensive contingency plan, the security official assesses the relative criticality of specific applications and data. Arrangements are made to ensure that critical applications and equipment are replaced within one work day in the event of failure. Critical data are backed up as provided in the back-up plan (a)(8) Have you established a plan for periodic 91 Page 91 technical and non technical evaluation of the standards under this rule in response to environmental or operational changes affecting the security of EPHI? Required Subsequent periodic evaluations must be performed in response to environmental or operational changes that affect the security of EPHI. The on-going evaluation should also be performed on a scheduled basis annually. The evaluation must include reviews of the technical and non-technical aspects of the security program (b )(1) Page 89 Business Associate Contracts and Other Arrangements: A covered Entity (CE), in accordance with Sec , may permit a business associate to create, receive, maintain, or transmit EPHI on the covered entity's behalf only if the CE obtains satisfactory assurances, in accordance with Sec (a) that the business associate appropriately safeguard the information. Page 89 Have you established written contracts or other arrangements with your trading partners that documents assurances that the BA will appropriately safeguard thesatisfactory information? (R) 89 Business associate agreements must include the following provisions or provisions with an equivalent effect. The business associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that it creates, receives, maintains, or transmits on behalf of the covered entity. These safeguards shall be equivalent or identical to the administrative, physical, and technical safeguards that the covered entity is required to implement under the federal security and privacy regulations. Version Date: 10/24/ /18

11 (a)(1) Page (a)(2)(i) Page 94 HIPAA SECURITY RULE - PHYSICAL SAFEGUARDS R = Required A = Addressable Facility Access Controls: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Have you established (and implemented as needed) procedures that allow facility access in support of restoration oflost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency? (A) (a)(2)(ii) Have you implemented policies and Page 97 procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft? (A) (a)(2)(iii) Have you implemented procedures to control and validate a Page 79 person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision? (A) The medical practice's computer equipment is configured to allow only staff members with appropriate authorization to access information stored on the computer and to configure software installed on the equipment. Staff members responsible for implementing contingency plans must have authorization that enables them to repair equipment and implement emergency procedures. All computer equipment and devices that are used to access, transmit, or store PHI are protected from unauthorized physical access, tampering, and theft All components of the medical practice's information system are housed in secure locations. Visitors to the medical practice are accompanied by a staff member when in a position to access the practice's information resources. Consultants and contractors whose access has been validated as responsible for installing, maintaining, or testing computer equipment and software are authorized to access the medical practice's information systems in the same manner as though they were staff members authorized to perform similar tasks or functions. Version Date: 10/24/ /18

12 (a)(2)(iv) Page 100 Have you implemented policies and procedures to document repairs and modifications to the physical components of a facility, which are related to security (for example, hardware, 100 All repairs and modifications to the physical components of the medical practice s facilities that are related to security (hardware, walls, doors, and locks, for example) are documented in the practice's riskassessment and risk-management plan walls, doors, and locks)? (A) (b) Page C Page 110 Have you implemented policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI? (R) Have you implemented physical safeguards for all workstations The security official will implement policies and procedures that specify the proper functions to be performed by electronic computing devices to prevent inappropriate use of computer workstations which could compromise information systems, and risk breaches of confidentiality. Users must observe the guidelines on use of workstations: S-1591 Guidelines Pages 109 and 110) Physical safeguards will be implemented for all workstations that access EPHI, to restrict access to authorized users that access EPHI to restrict access to authorized users? (R) Version Date: 10/24/ /18

13 (d)(1) Page (d)(2)(i) Page 93 Device and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility. Have you implemented policies and procedures to address final disposition of EPHI, and/or hardware or electronic media on which it is stored? 93 All storage devices and media are to be given to the authorized IT staff for disposal. Storage devices and media may be disposed of only by an authorized IT staff member. Prior to disposal, the storage media are sanitized either by means of degaussing, triple overwriting, or physically dismantling and destroying the storage media (d)(2)(ii) Page 93 Have you implemented procedures for removal of EPHI from electronic media before the media are available for reuse? (R) 94 Prior to reuse, the storage devices and electronic media are sanitized either by means of degaussing, triple overwriting, or physically dismantling and destroying the storage media. All software and data are removed from all computer equipment prior to reuse of the equipment. Disk drives are sanitized by degaussing or triple overwriting. Logs are maintained of all computer equipment and storage media that have been prepared for reuse. These logs include the date on which storage media were sanitized and a description of the sanitizing method used (d)(2)(iii) Page 85 Do you maintain a record of the movements of hardware and electronic media and the person responsible for its movement? (A) 85 Log entries are made in the inventory of computer hardware for all equipment that is moved within or from the medical practice s facilities. The log entry includes: * The date on which the equipment was moved * The destination of the equipment * The reason for moving, such as relocation, repair, reuse or disposal * The person responsible for preparing the equipment for movement including any sanitizing of storage devices * The date on which the equipment was moved (d)(2)(iv) Page 92 Do you create a retrievable, exact copy of EPHI, when needed, before movement of equipment? (A) 92 Before computer equipment is relocated within or removed from the medical practice's facilities, a retrievable, exact copy of EPHI, back-up copy is created of any information that is contained on storage devices that are integral parts of a piece of computer equipment. Version Date: 10/24/ /18

14 (a)(i) Page 80 HIPAA SECURITY RULE - TECHNICAL SAFEGUARDS (R) = REQUIRED, (A) = ADDRESSABLE Access Controls: Implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec (a)(4) (a)(2)(i) Page 108 Unique user identification. Have you assigned a unique name and/or number for identifying and tracking user identity? (R) 108 Every staff member authorized to use the medical practice's information systems is given a unique user name and selects a password known only to the staff member. The unique user identifier can be used to track user activity within information systems that contain EPHI. Staff members must use their user name and password when using the information system and accessing PHI (a)(2)(ii) Page 95 Emergency Access Procedure Have you established (and implemented as needed) procedures for obtaining necessary EPHI during an emergency? (R) 95 In the event of loss of power, or damage to equipment due to fire, water, earthquake, or any other natural or manmade disaster, battery powered portable devices with wireless access may be used to access the web based system which contains necessary EPHI (a)(2)(iii) Page 88 Automatic Log Off Have you implemented procedures that terminate an electronic session after a predetermined time of inactivity? (A) 88 All workstations are configured to log users off 10 minutes of inactivity. After being automatically logged off, a user must re-enter his or her user name and password to resume the interrupted activity. Users may not disable this automatic log-off feature (a)(2)(iv) Page 96 Encryption and Decryption (b) Page 87 Audit Controls Have you implemented a mechanism to encrypt and decrypt EPHI? (A) Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI? (R) Data should be encrypted when it is transmitted over a network that might be accessible by unauthorized individuals. Information that can be used to alter or defeat the medical practice s security measures also should be encrypted. The technical methods used to implement encryption and decryption are determined by the security official. The security official implements technical measures to create a record of information system activity, including user log-on/log-off and start-up/shut-down of technical security measures. Security official will regularly review records of system activity such as audit logs, access reports, and security incident tracking. This policy and procedure will adhere to policy and procedures developed to comply with the required implementation specification at (a)(1)(ii)(D) for Information System Activity Review Version Date: 10/24/ /18

15 (c)(1) Page 98 Integrity (c)(2) Page 98 MECHANISM TO AUTHENTICATE ELECTRONIC PROTECTED HEALTH INFORMATION (d) Page 101 Person or Entity Authentication (e)(1) Page (e)(2)(i) Page 108 INTEGRITY CONTROLS Integrity: Implement policies and procedures to protect EPHI from improper alteration or destruction. Have you implemented electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner? (A) Have you implemented Person or Entity Authentication procedures to verity that a person or entity seeking access to EPHI is the one claimed? (R) The security official implements procedures and technical measures to guard electronic health information from improper alteration or destruction. Staff members must follow these procedures and may not take any action to evade the technical measures. All users must use their passwords when logging on to the medical practice's information system. Passwords should not be written down or disclosed to other members of the staff, friends, family, or anyone else. A staff member may not use another staff member s user name and password to access the medical practice s information system. Staff members may not give their passwords to other staff members. Passwords should comply with the following guidelines. Transmission Security: Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. Have you implemented security measures to ensure that 108 Security official will implement security measures to monitor and ensure that electronically transmitted EPHI is not modified in transmission. electronically transmitted EPHI is not improperly modified without detection until disposed of? (A) ( e )(2)(ii) Page 96 ENCRYPTION Have you implemented a mechanism to encrypt EPHI whenever deemed appropriate? (A) 96 The security official identifies any circumstances under which information transmitted by the practice must be encrypted to prevent its use by unauthorized recipients. The security official ensures that staff members responsible for transmitting information are familiar with encryption requirements and the use of encryption software. Staff responsible for transmitting information must encrypt it when directed to do so by the security official. Version Date: 10/24/ /18

16 13401 Page 89 HITECH ACT Application of security provisions and penalties to Business Associates of Covered Entities; Annual guidance on security provisions Are Business Associate Agreements updated appropriately? - The HITECH Act changes applicable to covered entities also apply to business associates for both privacy and security and needs to be incorporated into the BA agreements Page 110 Notification in the case of breach Process for notification to the following in the 110, 111 event of a breach of unsecured PHI: - Individuals - Media - Secretary of HHS Page 96 Use of encryption in accordance with HHS guidance. For example, the use of FIPS whole disk encryption as Instruction: Medical practices must use the current contract/agreement for Business Associates. Business Associate Agreements must be updated appropriately to incorporate changes in order to meet federal guidelines. See pages for notification requirements for Individuals, Media, Secretary of HHS and by a Business Associate Staff responsible for storing and or transmitting information must encrypt it when directed to do so by the security official. Use of encryption in accordance with FIPS (Federal Information Processing Standard) whole disk encryption as specified in NIST (National Institute of Standards and Technology) will be considered if determined necessary based on a risk analysis specified in NIST Version Date: 10/24/ /18

17 13405 Pages Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain 16, 24, 25, 28, 30, information in electronic format. 32, 33, 34, 35, 36, 49, 50, 51, 59, 60 (NPP pages 3 & 4) Page 34 Process for Handling Individual's Request to Restrict Disclosure 34 A patient may request restrictions on the use and disclosure of protected health information for treatment, payment, and health care operations as provided for in the standard consent form. A patient also may request restrictions on the use and disclosure of protected health information covered by an authorization form. Page 16 Limit disclosure or use of PHI to minimum necessary to accomplish purpose by, to the extent possible, limiting use/disclosure to "limited data set". 16 Staff must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose by, to the extent possible, limiting use/disclosure to limited data set for which the request is made. For all other requests, staff must review the request on an individual basis to determine that the protected health information sought is limited to the information reasonably necessary to accomplish the purpose for which the request is made. Staff may not use, discloses or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. Version Date: 10/24/ /18

18 13405 c Page Accounting of certain protected health information disclosures required if CE uses electronic health record. 49 Page 49 If Covered Entities use electronic health 49 P-7000 Accounting for Disclosures records, Covered Entities must include disclosures made through an EHR for payment/treatment/health care operation on the accounting and the individual can get an accounting of payment/treatment/health care operation disclosures made during past 3 years. The policies in this section of the privacy manual establish procedures for developing the Notice of Privacy Practices form and obtaining patient consent to, or authorization of, use and disclosure of protected health information. If there is an electronic health record (HER) or electronic medical record (EMR), there must be an accounting of disclosures made through the HER or EMR for payment, treatment, health care operations and accounting must be made available to the patient of disclosures made during the past 3 years. Page Process to allow individual to obtain an accounting of disclosures made by Covered Entity and Business Associates or an accounting of disclosures by Covered Entity and a list of Business Associates with contact information. Business Associates must give individuals an accounting of PHI disclosures. Staff will provide patient with a list of Business Associates with contact information. Business Associates must give individuals an accounting of PHI disclosures. Version Date: 10/24/ /18