Processes Home | Contact Us | Search

Getting Started
Documentation
Processes
Service Request
Suggestions
Reference Materials
Support Forum

This page contains a step by step template for working on the processes and the paperwork that becomes your HIPAA (documentation) Plan. We have included the individual files for download (and/or printing) from this page also. This was ORIGINAL information and may need to be modified for the 2013 modified Safeguards.

This is broken into three (3) major categories:

Items listed in RED below may need outside assistance from Solutions, Inc or other qualified vendors...

 

  • Administrative Safeguards:
    • 164.308(a) (1) (i) SECURITY MANAGEMENT PROCESS Standard 1
      • Fill in Inventory Worksheets for HIPAA -EPHI - Inventory - PC-Servers (.xls) - Place this in workbook under tab - Administrative Safeguards - Security Management Process - Standard 1
      • Optionally - Create Map of Locations of EPHI affected Wiring, Switches, Servers, PCs and Printers - Place this in workbook under tab - Administrative Safeguards - Security Management Process - Standard 1
      • Run Risk Assessment Simple - Risk - Simple 1 (.xls) - Make appropriate entries and changes - Place this in workbook under tab - Administrative Safeguards - Security Management Process - Standard 1
      • NO LONGER AVAILABLE - You may need to use a different Security Risk Assessment - Optionally - Run A Microsoft Security Risk Self-Assessment Tool (available from Microsoft) - Place this in workbook under tab - Administrative Safeguards - Security Management Process - Standard 1
      • Make changes to environment based on Risk Analysis - Use worksheet to document these changes
      • Have Network Security Analysis run to look for potential problems - Either have this done in-house or with outside assistance (Solutions, Inc. can run this analysis - with GFI LAN-Guard tools - for you if requested to do so)
      • Make changes to environment based on Security Analysis
      • Set up training for employees on HIPAA - Use Security Awareness Training (.ppt) - Modify to your needs - Place this in workbook under tab - Training Materials
      • Have Security Officer - Get Training on how to view User Activity, System Activity including Audit Logs, Access Logs and Security incidents.
    • 164.308(a) (2) ASSIGNED SECURITY RESPONSIBILITY Standard 2
      • Select Security Official(s) within your organization - Update their Job Descriptions and have them sign them. Print Sample Security Officer Addendum(.doc) - Place this in workbook under tab - Administrative Safeguards - Assigned Security Responsibility - Standard 2
      • Review Policies and Procedures filed in the Policies Section - HIPAA Security Policy # 1
    • 164.308(a) (3) (i) WORKFORCE SECURITY Standard 3
      • Run Repository (.xls) - Fill in Form - Place this in workbook under tab - Administrative Safeguards - Workforce Security - Standard 3
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 2
    • 164.308(a) (4) (i) INFORMATION ACCESS MANAGEMENT Standard 4
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 3 & # 4Create Training Materials that cover New and Existing Employees
    • 164.308(a) (5) (i) SECURITY AWARENESS AND TRAINING Standard 5
      • Review Risk and Security materials with New and Existing Employees
      • Install Anti-Virus Software for Mail and Network - These need to be installed on ALL Systems in the Network regardless of EPHI
      • Establish method for reviewing Access Logs and Login
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 4 # 5 # 6 # 7
    • 164.308(a) (6) (i) SECURITY INCIDENT PROCEDURES Standard 6
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 7
      • Run Incident Report (.xls). Place this in workbook under Tab - Administrative Safeguards - Security Incident Procedures - Standard 3
    • 164.308(a) (7) (i) CONTINGENCY PLAN Standard 7
      • Review HIPAA -EPHI - Inventory - PC-Servers (.xls) created in #1 Above
      • Create Back up Plan for EPHI Affected Systems
      • Create Disaster Recovery Plan
      • Test Backup Recovery Plan
      • Create Contingency Plan for Location, Systems and Software
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 8
    • 164.308(a) (8) EVALUATION Standard 8
      • Run Security Analysis of all Networked EPHI connected Systems - Place this in workbook under Tab - Administrative Safeguards - Evaluation - Standard 8
      • Run Security Analysis of e-mail Systems - Place this in workbook under Tab - Administrative Safeguards - Evaluation - Standard 8
      • Run Security Analysis of Physical Resources
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 9
    • 164.308 (8) (b) (1) Business Associate Contracts and Other Arrangement Standard 9
      • If Needed Print out Sample BUSINESS ASSOCIATE AGREEMENT (.DOC) and have reviewed with County Attorney
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 10
  • Physical Safeguards:
    • 164.310 (a) (1) FACILITY ACCESS CONTROLS Standard 1
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 11
      • Review Inventory Worksheets for HIPAA -EPHI - Inventory - PC-Servers (.xls) - created in #1 Above - Make appropriate changes to the environment.
      • Fill out Physical Safeguards (.xls) spread sheet and place this in workbook under Tab - Physical Safeguards - Facility Access Controls Standard 1
      • Print out Maintenance Records (.xls) worksheet and place this in workbook under Tab - Physical Safeguards - Facility Access Controls Standard 1
      • As Part of Disaster Recovery Plan - Create Contingency Operations Plan - to include secondary location to deliver services 
    • 164.310 (b) WORKSTATION USE Standard 2
      • Print - Workstation Use Policy (.doc) and review with Employees - Place in workbook under Tab - Physical Safeguards Workstation Uses Standard 2
      • Set up Security Standards on Workstations, Passwords, Log Off Policies etc.
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 12 and Exhibit A Computer Use Policy
    • 164.310 (c) WORKSTATION SECURITY Standard 3
      • See - Workstation Use Policy (.doc) in workbook under Tab - Physical Safeguards Workstation Uses Standard 2
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 13
    • 164.310 (d) (1) DEVICE AND MEDIA CONTROLS Standard 4
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 14
      • Print Media Controls (.xls) - Place in workbook under Tab - Physical Safeguards Device and Media Controls - Standard 4 - Review with Employees HIPAA Security Policy #14
      • Review Back up and Recovery Plan and implement.
  • Technical Safeguards:
    • 164.312 (a) (1) ACCESS CONTROL Standard 1
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 15
      • Optionally Print - COMPUTER US ELECTRONIC INFORMATION SECURITY POLICY (.doc) and place this in workbook under Tab - Physical Safeguards - Workstation Security - Standard 2
      • NO LONGER AVAILABLE - Optionally go to CISCO Website http://www.ciscowebtools.com/spb/ and run the Security Policy Creator.
      • Implement User Security. Implement Level 30 on the AS/400. Set Password expiration on 60 days
      • Instruct Security Manager how to change Passwords and Access Protected Systems in case of an Emergency
      • Set Systems to automatically Logoff dependent on their Job Description or class. Train Security Manager as how to maintain this function
    • 164.312 (b) AUDIT CONTROLS Standard 2
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 16
      • Run Another Security Audit on EPHI affected Systems After above have been implemented - Train Security Officer as to how run selected Audits and document them.
    • 164.312 (c) (1) INTEGRITY Standard 3
      • Review Anti-Virus Software with employees and Security Officer - Teach Security officer how to run reports
      • If not already done as part of Disaster Recovery, Implement RAID on Servers and Back up procedures to Servers for PCs
      • Review e-mail Anti-Virus Software with employees and Security Officer - Teach Security officer how to run reports
      • Review and or install Firewall and Intrusion Detection with Security Officer - Teach Security Officer how to run reports
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 17
    • 164.312 (d) PERSON OR ENTITY AUTHENTICATION Standard 4
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 18
    • 164.312 (e) (1) TRANSMISSION SECURITY Standard 5
      • Review Policies and Procedures filed in the Policies Section - - HIPAA Security Policy # 19
      • Review Electronic Transmission (Example ISIS) with Assigned Employees and Security Officers
      • Does the County Allow EPHI involved Systems to go to FTP Sites, Bulletin Boards, or other Download Sites?

If you would like to see alternatives and additional resources we have found while researching HIPAA compliance issues, please visit the Reference Materials from the left menu.

 


Home | Getting Started | Documentation | Processes | Service Request | Suggestions | Reference Materials | Support Forum

This information is provided to assist entities within the State of Iowa in understanding the obligations imposed by the Health Insurance Portability and Accountability Act (HIPAA). Solutions, Inc. provides no guarantees or warranties of any kind. Utilization of this information is at the sole risk of the user. As with any matter of law, independent legal counsel should be consulted regarding compliance with the requirements of the HIPAA.
Questions or problems regarding this web site should be directed to hipaa@gmdsolutions.com.
Visit the Solutions, Inc. corporate website

Last modified: 01/02/15.
Copyright 2005 - 2015 Solutions, Inc. All rights reserved.