HIPAA Processes

This page contains a step by step template for working on the processes and the paperwork that becomes your HIPAA (documentation) Plan. We have included the individual files for download (and/or printing) from this page also (even though they are in the "complete kit").

This is broken into three (3) major categories:

Administrative Safeguards:
Physical Safeguards:
Technical Safeguards:

Items listed in RED below may need outside assistance from Solutions, Inc or other qualified vendors

Administrative Safeguards:
- §164.308(a) (1) (i) SECURITY MANAGEMENT PROCESS – Standard 1
  - Fill in Inventory Worksheets for HIPAA -EPHI - Inventory - PC-Servers (.xls) - Place this in workbook under tab - Administrative Safeguards - Security Management Process - Standard 1
  - Optionally - Create Map of Locations of EPHI affected Wiring, Switches, Servers, PCs and Printers - Place this in workbook under tab - Administrative Safeguards - Security Management Process - Standard 1
  - Run Risk Assessment Simple - Risk - Simple 1 (.xls) - Make appropriate entries and changes - Place this in workbook under tab - Administrative Safeguards - Security Management Process - Standard 1
  - Optionally - Run Microsoft Security Risk Self-Assessment Tool (.exe) - Place this in workbook under tab - Administrative Safeguards - Security Management Process - Standard 1
  - Make changes to environment based on Risk Analysis - Use worksheet to document these changes
  - Have Network Security Analysis run to look for potential problems - Either have this done in-house or with outside assistance (Solutions, Inc. can run this analysis - with GFI LAN-Guard tools - for you if requested to do so)
  - Make changes to environment based on Security Analysis
  - Set up training for employees on HIPAA - Use Security Awareness Training (.ppt) - Modify to your needs - Place this in workbook under tab - Training Materials
  - Have Security Officer - Get Training on how to view User Activity, System Activity including Audit Logs, Access Logs and Security incidents.
- §164.308(a) (2) ASSIGNED SECURITY RESPONSIBILITY – Standard 2
  - Select Security Official(s) within your organization - Update their Job Descriptions and have them sign them. Print Sample Security Officer Addendum(.doc) - Place this in workbook under tab - Administrative Safeguards - Assigned Security Responsibility - Standard 2
  - Review Policies and Procedures filed in the Policies Section - HIPAA Security Policy # 1
- §164.308(a) (3) (i) WORKFORCE SECURITY – Standard 3
  - Run Repository (.xls) - Fill in Form - Place this in workbook under tab - Administrative Safeguards - Workforce Security - Standard 3
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 2
- §164.308(a) (4) (i) INFORMATION ACCESS MANAGEMENT – Standard 4
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 3 & # 4Create Training Materials that cover New and Existing Employees
- §164.308(a) (5) (i) SECURITY AWARENESS AND TRAINING – Standard 5
  - Review Risk and Security materials with New and Existing Employees
  - Install Anti-Virus Software for Mail and Network - These need to be installed on ALL Systems in the Network regardless of EPHI
  - Establish method for reviewing Access Logs and Login
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 4 # 5 # 6 # 7
- §164.308(a) (6) (i) SECURITY INCIDENT PROCEDURES – Standard 6
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 7
  - Run Incident Report (.xls). Place this in workbook under Tab - Administrative Safeguards - Security Incident Procedures - Standard 3
- §164.308(a) (7) (i) CONTINGENCY PLAN – Standard 7
  - Review HIPAA -EPHI - Inventory - PC-Servers (.xls) created in #1 Above
  - Create Back up Plan for EPHI Affected Systems
  - Create Disaster Recovery Plan
  - Test Backup Recovery Plan
  - Create Contingency Plan for Location, Systems and Software
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 8
- §164.308(a) (8) EVALUATION – Standard 8
  - Run Security Analysis of all Networked EPHI connected Systems - Place this in workbook under Tab - Administrative Safeguards - Evaluation - Standard 8
  - Run Security Analysis of e-mail Systems - Place this in workbook under Tab - Administrative Safeguards - Evaluation - Standard 8
  - Run Security Analysis of Physical Resources
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 9
- §164.308 (8) (b) (1) Business Associate Contracts and Other Arrangement – Standard 9
  - If Needed Print out Sample BUSINESS ASSOCIATE AGREEMENT (.DOC) and have reviewed with County Attorney
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 10
Physical Safeguards:
- §164.310 (a) (1) FACILITY ACCESS CONTROLS – Standard 1
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 11
  - Review Inventory Worksheets for HIPAA -EPHI - Inventory - PC-Servers (.xls) - created in #1 Above - Make appropriate changes to the environment.
  - Fill out Physical Safeguards (.xls) spread sheet and place this in workbook under Tab - Physical Safeguards - Facility Access Controls Standard 1
  - Print out Maintenance Records (.xls) worksheet and place this in workbook under Tab - Physical Safeguards - Facility Access Controls Standard 1
  - As Part of Disaster Recovery Plan - Create Contingency Operations Plan - to include secondary location to deliver services
- §164.310 (b) WORKSTATION USE – Standard 2
  - Print - Workstation Use Policy (.doc) and review with Employees - Place in workbook under Tab - Physical Safeguards Workstation Uses Standard 2
  - Set up Security Standards on Workstations, Passwords, Log Off Policies etc.
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 12 and Exhibit A Computer Use Policy
- §164.310 (c) WORKSTATION SECURITY – Standard 3
  - See - Workstation Use Policy (.doc) in workbook under Tab - Physical Safeguards Workstation Uses Standard 2
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 13
- §164.310 (d) (1) DEVICE AND MEDIA CONTROLS – Standard 4
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 14
  - Print Media Controls (.xls) - Place in workbook under Tab - Physical Safeguards Device and Media Controls - Standard 4 - Review with Employees HIPAA Security Policy #14
  - Review Back up and Recovery Plan and implement.
Technical Safeguards:
- §164.312 (a) (1) ACCESS CONTROL – Standard 1
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 15
  - Optionally Print - COMPUTER US ELECTRONIC INFORMATION SECURITY POLICY (.doc) and place this in workbook under Tab - Physical Safeguards - Workstation Security - Standard 2
  - Optionally go to CISCO Website http://www.ciscowebtools.com/spb/ and run the Security Policy Creator.
  - Implement User Security. Implement Level 30 on the AS/400. Set Password expiration on 60 days
  - Instruct Security Manager how to change Passwords and Access Protected Systems in case of an Emergency
  - Set Systems to automatically Logoff dependent on their Job Description or class. Train Security Manager as how to maintain this function
- §164.312 (b) AUDIT CONTROLS – Standard 2
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 16
  - Run Another Security Audit on EPHI affected Systems After above have been implemented - Train Security Officer as to how run selected Audits and document them.
- §164.312 (c) (1) INTEGRITY – Standard 3
  - Review Anti-Virus Software with employees and Security Officer - Teach Security officer how to run reports
  - If not already done as part of Disaster Recovery, Implement RAID on Servers and Back up procedures to Servers for PCs
  - Review e-mail Anti-Virus Software with employees and Security Officer - Teach Security officer how to run reports
  - Review and or install Firewall and Intrusion Detection with Security Officer - Teach Security Officer how to run reports
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 17
- §164.312 (d) PERSON OR ENTITY AUTHENTICATION – Standard 4
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 18
- §164.312 (e) (1) TRANSMISSION SECURITY – Standard 5
  - Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 19
  - Review Electronic Transmission (Example ISIS) with Assigned Employees and Security Officers
  - Does the County Allow EPHI involved Systems to go to FTP Sites, Bulletin Boards, or other Download Sites?

If you would like to see alternatives and additional resources we have found while researching HIPAA compliance issues, please visit the Reference Materials from the left menu.

This information is provided to assist entities within the State of Iowa in understanding the obligations imposed by the Health Insurance Portability and Accountability Act (HIPAA). Solutions, Inc. provides no guarantees or warranties of any kind. Utilization of this information is at the sole risk of the user. As with any matter of law, independent legal counsel should be consulted regarding compliance with the requirements of the HIPAA.
Questions or problems regarding this web site should be directed to webmaster@gmdsolutions.com.
Visit the Solutions, Inc. companion websites - Corporate website, Technical Support website, FTP public download site .