To-Do List for Accountable Policy Implementation

Detailed to do list for what a company / privacy officer needs to implement in order to say they are compliant with XYZ policy

 

**Note - ‘Enforcement Sanctions’ policy and ‘Sanctions’ policy are one-in-the-same.

1. Incident Reporting Policy

2. Notification of Breach

3. Documentation, Record Retention and Document Destruction

4. Sanctions for Non-Compliance

5. Notice of Privacy Practice

6. Marketing and Fundraising

7. Non-Retaliation and Waiver

8. Viruses and Malware; Application Updates

9. Confidentiality Agreements

10. Restricted Internal Access to PHI

11. Termination Procedures

12. Comprehensive Information Security Plan

13. Mitigation

14. Complaints

15. De-Identification Policy

16. Business Associates Relationship

17. Personal Representatives

18. Individual Requests

19. Personnel Designations

20. Uses and Disclosures that are permitted by Privacy Rule, or are Permitted by Authorization

21. Uses and Disclosures that are permitted without Individual authorization

22. Privacy Policy

23. Acceptable Use Policy

24. Security Incident Response

25. Disaster Recovery

26. Facility Access Controls

27. Ongoing Risk Assessment

28. Data Integrity

29. Data Backup and Storage

30. Transmission Security

31. Authentication Controls

32. Workstation Security

33. Encryption

34. Audit Controls; System Alerts

35. Access Rights

36. Device, Media and Hardware Controls
    ​
    ​

The Policy Mapping Document page has been linked to here as well for ease. 

1 - Incident Reporting Policy

If there is an unauthorized disclosure of PHI and the business type is a Covered Entity, these are the steps to take to satisfy the policy requirements:

1. Make sure employees attest to this policy in order to display they know how to spot when an incident occurs

2. The Incident Response System in Accountable is the incident response system as mentioned in the policy. When a situation calls for it, this policy tells employees where to submit their report.

3. Accountable will monitor for submissions of incidents, so this task is a passive but very important one

4. If Accountable emails you to say an incident has been reported and you are not already familiar with how to address/mitigate said incident, please contact Support for tailored support, as every use case can be different.

5. Possibly the most important item in this to-do list is to report any incidents that occur within a calendar year are reported to the OCR every January first.

Make sure employees attest to this policy in order to display they know how to spot when an incident occurs

The Incident Response System in Accountable is the incident response system as mentioned in the policy. When a situation calls for it, this policy tells employees where to submit their report.

Accountable will monitor for submissions of incidents, so this task is a passive but very important one

If Accountable emails you to say an incident has been reported and you are not already familiar with how to address/mitigate said incident, please contact Support for tailored support, as every use case can be different.

Possibly the most important item in this to-do list is to report any incidents that occur within a calendar year are reported to the OCR every January first.

If there is an unauthorized disclosure of PHI and the business type is a Business Associate, these are the steps to take to satisfy the policy requirements

1. Make sure employees attest to this policy in order to display they know how to spot when an incident occurs.

2. Alert any Covered Entities you may service who were affected by an incident.

3. Assist your Covered Entity clients to mitigate to the extent practicable by your Organization.

Make sure employees attest to this policy in order to display they know how to spot when an incident occurs.

Alert any Covered Entities you may service who were affected by an incident.

Assist your Covered Entity clients to mitigate to the extent practicable by your Organization.

2 - Notification of breach

1. Make sure employees attest to this policy in order to display they know how to spot when a breach of PHI data occurs

2. The most important to-do here is to be proactive by having a breach response plan as explained in this policy

3. Aside from having a plan the company will review and update said plan on an annual basis, following any incident, and when necessary, to comply with changes to the law

4. Be sure to save documentation regarding your current year’s compliance plan and up to six years of plans from past compliance efforts

5. Be sure to name your primary breach contact inside of this policy, should an adverse event occur. This is done so people know who to get hold of.

6. Refer to this policy to learn the duties and responsibilities of the primary breach contact

7. Refer to this policy for guidance on structuring your breach response plan and what it requires

8. Refer to this policy when in need of a refresh on the process, timeline and notification requirements One follows in the event of a Breach.

9. Be sure to check your State laws to see if there are further steps needed to be in compliance with State acts.

Make sure employees attest to this policy in order to display they know how to spot when a breach of PHI data occurs

The most important to-do here is to be proactive by having a breach response plan as explained in this policy

Aside from having a plan the company will review and update said plan on an annual basis, following any incident, and when necessary, to comply with changes to the law

Be sure to save documentation regarding your current year’s compliance plan and up to six years of plans from past compliance efforts

Be sure to name your primary breach contact inside of this policy, should an adverse event occur. This is done so people know who to get hold of.

Refer to this policy to learn the duties and responsibilities of the primary breach contact

Refer to this policy for guidance on structuring your breach response plan and what it requires

Refer to this policy when in need of a refresh on the process, timeline and notification requirements One follows in the event of a Breach.

Be sure to check your State laws to see if there are further steps needed to be in compliance with State acts.

3 - Documentation, Records Retention, and Documentation Destruction

1. Make sure employees attest to policy to understand the Organization’s policy on documentation, handling it or destroying it

2. Save any policies, procedures and other document types mentioned in the policy itself which are pursuant to HIPAA that you ever enact, even if you stop following that set of rules when updating your overall compliance plan, for six years.

3. Be sure to save the documentation from step 2 for a minimum of 6 (six) years

4. You are permitted to destroy documentation via shredding only after waiting the requisite 6 years for documents containing PHI.

Make sure employees attest to policy to understand the Organization’s policy on documentation, handling it or destroying it

Save any policies, procedures and other document types mentioned in the policy itself which are pursuant to HIPAA that you ever enact, even if you stop following that set of rules when updating your overall compliance plan, for six years.

Be sure to save the documentation from step 2 for a minimum of 6 (six) years

You are permitted to destroy documentation via shredding only after waiting the requisite 6 years for documents containing PHI.

4 - Sanctions Non Compliance

1. Make sure employees attest to the policy in order to display they understand punitive measure your Organization may take for violating company compliance policies / procedures.

2. Be aware that this policy includes language stating that punishments can / will be up to and including termination for non-compliant behavior.

3. Keep any records or documentation in reference to the sanction for six years.

Make sure employees attest to the policy in order to display they understand punitive measure your Organization may take for violating company compliance policies / procedures.

Be aware that this policy includes language stating that punishments can / will be up to and including termination for non-compliant behavior.

Keep any records or documentation in reference to the sanction for six years.

5 - Notice of Privacy Practice (Not applicable for Business Associates)

1. Make sure employees attest to this policy to ensure they understand the Organizational requirements for a Notice of Privacy Practice.

2. Be sure your Organization is disseminating a Notice of Privacy Practice, or NPP, to every patient before they first receive care, or in ER situations, as soon as is practicable.

3. The areas you might want to provide an NPP from are -

   1. By E-Notice

   2. Paper Copy

      1. For paper copies, this is done in-person, via a written request, or via availability on the Organization’s website.

4. Obtain an acknowledgment of receipt from patient after supplying NPP

Make sure employees attest to this policy to ensure they understand the Organizational requirements for a Notice of Privacy Practice.

Be sure your Organization is disseminating a Notice of Privacy Practice, or NPP, to every patient before they first receive care, or in ER situations, as soon as is practicable.

The areas you might want to provide an NPP from are -

1. By E-Notice

By E-Notice

• Paper Copy

  1. For paper copies, this is done in-person, via a written request, or via availability on the Organization’s website.

Paper Copy

1. For paper copies, this is done in-person, via a written request, or via availability on the Organization’s website.

For paper copies, this is done in-person, via a written request, or via availability on the Organization’s website.

Obtain an acknowledgment of receipt from patient after supplying NPP

6 - Marketing and Fundraising

1. Ensure employee attestation to policy to ensure their understanding of how marketing and fundraising applies to PHI and your Organization.

2. Ensure you never use PHI for fundraising as this is expressly forbidden

3. Ensure that authorization is always received before implementing any new marketing campaign which encourages a patient to use a product or service begins

4. There are certain cases where authorization is not needed. Refer to full policy for specific occurrences.

Ensure employee attestation to policy to ensure their understanding of how marketing and fundraising applies to PHI and your Organization.

Ensure you never use PHI for fundraising as this is expressly forbidden

Ensure that authorization is always received before implementing any new marketing campaign which encourages a patient to use a product or service begins

There are certain cases where authorization is not needed. Refer to full policy for specific occurrences.

7 - Non-retaliation and Waiver

1. Ensure employees attest to this policy to understand that they must not ever take any purposeful, negative action against a person for attempting to exercise their rights under HIPAA.

2. Violations of this policy exposes any employee of this Organization to the Sanctions Policy.

Ensure employees attest to this policy to understand that they must not ever take any purposeful, negative action against a person for attempting to exercise their rights under HIPAA.

Violations of this policy exposes any employee of this Organization to the Sanctions Policy.

8 - Viruses and Malware; Application Updates

1. Ensure you are using a HIPAA compliant security suite of applications (e.g. Norton Antivirus) to prevent unauthorized access to PHI.

   1. Verify security suite also provides a firewall

   2. Be sure to implement firewall

2. After purchasing a security suite of applications, they will send ‘patches’ from time to time. A patch is a technical fix made for a hole created by a malicious actor which keeps your suite of applications current and working best.

   1. Patches are to always be accepted/installed

   2. It is best practice to automate these ‘patch updates’

3. Operating Systems for your Organizations computers also receive patch updates and it is best practice to check weekly for any of these critical security fixes.

Ensure you are using a HIPAA compliant security suite of applications (e.g. Norton Antivirus) to prevent unauthorized access to PHI.

1. Verify security suite also provides a firewall

Verify security suite also provides a firewall

• Be sure to implement firewall

Be sure to implement firewall

After purchasing a security suite of applications, they will send ‘patches’ from time to time. A patch is a technical fix made for a hole created by a malicious actor which keeps your suite of applications current and working best.

1. Patches are to always be accepted/installed

Patches are to always be accepted/installed

• It is best practice to automate these ‘patch updates’

It is best practice to automate these ‘patch updates’

Operating Systems for your Organizations computers also receive patch updates and it is best practice to check weekly for any of these critical security fixes.

9 - Confidentiality Agreement

1. For any Employees or employees of third-parties not matching the definition of a Business Associate shall sign a Confidentiality Agreement for the Organization which states they will keep PHI safe, secure and private. Any PHI seen in the course of a work day will be disregarded by the employee of a 3rd party.

For any Employees or employees of third-parties not matching the definition of a Business Associate shall sign a Confidentiality Agreement for the Organization which states they will keep PHI safe, secure and private. Any PHI seen in the course of a work day will be disregarded by the employee of a 3rd party.

10 - Restricted Internal Access to PHI

1. Make sure employees attest to this policy in order to understand how your Organization restricts internal access to phi

2. The Organization will implement measures in a technical sense which will only permit employees as much access to systems containing PHI on an ‘as needed’ basis to perform their day-to-day work.

3. Company will have a ‘clean desk’ rule, which means anything of a physical nature containing PHI will be -

   1. Used only when working on a task related to said PHI

   2. Whenever possible, try to turn documents face down to avoid exposure / incidents.

   3. Place any PHI in a locked area when not using the office for a prolonged period of time.

4. If able, lock Office doors for employees who have access to PHI for an even more effective physical safeguard.

5. If printing/copying/scanning to a shared device, it is important that employees stop by the device to pick up any paper containing PHI ASAP.

6. Ensure you are presently, or planning to in the near future, utilizing encryption when sending emails which contain PHI.

7. Implement a password requirement for entry to a terminal’s desktop (get past the Home Screen) which is able to touch PHI at any given time.

   1. Organization will require password updates on at least an annual basis

8. Enact screensavers and auto Log-off to trigger after a terminal has not been utilized (idle) in the last 15 minutes.

9. If Organization provides it’s employees with portable devices (typically a good example would be a laptop) these devices shall stay in a locked room when not in use, be encrypted (at the hard disk level) up to 256 kbps by using BitLocker or FileVault, and, for the sake of a total loss of an asset (laptop was taken when car got broken into), Organization will implement remote wipe.

Make sure employees attest to this policy in order to understand how your Organization restricts internal access to phi

The Organization will implement measures in a technical sense which will only permit employees as much access to systems containing PHI on an ‘as needed’ basis to perform their day-to-day work.

Company will have a ‘clean desk’ rule, which means anything of a physical nature containing PHI will be -

1. Used only when working on a task related to said PHI

Used only when working on a task related to said PHI

• Whenever possible, try to turn documents face down to avoid exposure / incidents.

Whenever possible, try to turn documents face down to avoid exposure / incidents.

• Place any PHI in a locked area when not using the office for a prolonged period of time.

Place any PHI in a locked area when not using the office for a prolonged period of time.

If able, lock Office doors for employees who have access to PHI for an even more effective physical safeguard.

If printing/copying/scanning to a shared device, it is important that employees stop by the device to pick up any paper containing PHI ASAP.

Ensure you are presently, or planning to in the near future, utilizing encryption when sending emails which contain PHI.

Implement a password requirement for entry to a terminal’s desktop (get past the Home Screen) which is able to touch PHI at any given time.

1. Organization will require password updates on at least an annual basis

Organization will require password updates on at least an annual basis

Enact screensavers and auto Log-off to trigger after a terminal has not been utilized (idle) in the last 15 minutes.

If Organization provides it’s employees with portable devices (typically a good example would be a laptop) these devices shall stay in a locked room when not in use, be encrypted (at the hard disk level) up to 256 kbps by using BitLocker or FileVault, and, for the sake of a total loss of an asset (laptop was taken when car got broken into), Organization will implement remote wipe.

11 - Termination Procedures

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Turn off access for any departing employees to applications/systems/etc. which contain/maintain PHI.

   1. Plan this ahead of termination, if able, to provide an easy transition.

3. Disable the terminated individual's user profile in your EHR and any other systems they could access PHI your Organization may be responsible for. Migrate

4. Document instances of the enforcement of this policy in a separate document.

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Turn off access for any departing employees to applications/systems/etc. which contain/maintain PHI.

1. Plan this ahead of termination, if able, to provide an easy transition.

Plan this ahead of termination, if able, to provide an easy transition.

Disable the terminated individual's user profile in your EHR and any other systems they could access PHI your Organization may be responsible for. Migrate

Document instances of the enforcement of this policy in a separate document.

12 - Comprehensive Information Security Plan

Nothing needs to be done in a pragmatic sense for this policy alone. It is an administrative safeguard, indicating that by having this and all the other applicable policies from the security rule via Accountable, you have this plan established.

13 - Mitigation

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy when any unauthorized disclosure of PHI has occurred to see next steps.

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy when any unauthorized disclosure of PHI has occurred to see next steps.

Contact Accountable for guidance, if needed.

14 - Complaints

(This does not apply to Business Associates)

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Upon receipt of a complaint regarding the violation of someone’s rights under the HIPAA Privacy Rule, the Privacy Officer is to be main point of contact. List their contact information here.

3. Privacy Officer will investigate the complaint made by the patient to see the entire picture.

4. Based on results of investigation, Privacy Officer will

   1. Refer action to the sanction policy for internal purposes

   2. Work with a Business Associate to cure any violation

   3. Refer to Mitigation policy as needed

5. Keep documentation related to the incident on-file for 6 years, as per policy.

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Upon receipt of a complaint regarding the violation of someone’s rights under the HIPAA Privacy Rule, the Privacy Officer is to be main point of contact. List their contact information here.

Privacy Officer will investigate the complaint made by the patient to see the entire picture.

Based on results of investigation, Privacy Officer will

1. Refer action to the sanction policy for internal purposes

Refer action to the sanction policy for internal purposes

• Work with a Business Associate to cure any violation

Work with a Business Associate to cure any violation

• Refer to Mitigation policy as needed

Refer to Mitigation policy as needed

Keep documentation related to the incident on-file for 6 years, as per policy.

15 - De-Identification Policy

You will see the applicability of this policy when your Organization works with research groups, transmitting data sets or supporting research groups technology:

• Consider the word redact when seeing the word De-Identification

• It is worthwhile to have this policy in place in case one day down the line someone at another company accidentally sends you de-identified PHI, you will know what to do with it, even if not presently working with it.

Consider the word redact when seeing the word De-Identification

It is worthwhile to have this policy in place in case one day down the line someone at another company accidentally sends you de-identified PHI, you will know what to do with it, even if not presently working with it.

If you are aware that you are working directly with De-Identified PHI, be sure to apply the minimum necessary rule, if ever you are re-identifying PHI.

16 - Business Associate Relationship

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Obtain a Business Associate Agreement for appropriate third party vendors.

3. Send the Vendor Risk Questionnaire to the appropriate third party vendors

4. Review the BAA on an annual basis looking for any material changes that have occurred between the parties in the last year

   1. IF there have been material changes to your relationship with a BA, send a new BAA

   2. IF there have NOT been material changes to your relationship with a BA there is no need to execute a new agreement but do write down somewhere that you have researched this on XXDATEXX to show due diligence.

5. Refer to full policy in the event of a BA experiencing a breach for how to respond to said incident

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Obtain a Business Associate Agreement for appropriate third party vendors.

Send the Vendor Risk Questionnaire to the appropriate third party vendors

Review the BAA on an annual basis looking for any material changes that have occurred between the parties in the last year

1. IF there have been material changes to your relationship with a BA, send a new BAA

IF there have been material changes to your relationship with a BA, send a new BAA

• IF there have NOT been material changes to your relationship with a BA there is no need to execute a new agreement but do write down somewhere that you have researched this on XXDATEXX to show due diligence.

IF there have NOT been material changes to your relationship with a BA there is no need to execute a new agreement but do write down somewhere that you have researched this on XXDATEXX to show due diligence.

Refer to full policy in the event of a BA experiencing a breach for how to respond to said incident

17 - Personal Representatives

(Does Not Apply for Business Associates)

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy for steps on how to determine who is allowed the same right of access to PHI as the patient themselves.

3. There are three exceptions for when a personal representative does not have the same right of access. Refer to this policy for specific details.

4. Refer to this policy for guidance on when not to allow for a patient to assign a personal representative in cases where the staff thinks they see signs of abuse or domestic violence

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy for steps on how to determine who is allowed the same right of access to PHI as the patient themselves.

There are three exceptions for when a personal representative does not have the same right of access. Refer to this policy for specific details.

Refer to this policy for guidance on when not to allow for a patient to assign a personal representative in cases where the staff thinks they see signs of abuse or domestic violence

18 - Individual requests

(This policy does not apply to Business Associates)

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy to understand where an Individual may make certain requests pertaining to their PHI, such as:

   1. A Right to inspect and copy PHI

   2. A Right to confidential communications of their PHI

   3. A Right to understand their accounting of disclosures

   4. A Right to request amendments

3. Refer to this policy for timelines for obliging these requests, when to grant it, when to deny it and what to make available

4. Retain records regarding individual requests for a minimum of 6 (six) years

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy to understand where an Individual may make certain requests pertaining to their PHI, such as:

1. A Right to inspect and copy PHI

A Right to inspect and copy PHI

• A Right to confidential communications of their PHI

A Right to confidential communications of their PHI

• A Right to understand their accounting of disclosures

A Right to understand their accounting of disclosures

• A Right to request amendments

A Right to request amendments

Refer to this policy for timelines for obliging these requests, when to grant it, when to deny it and what to make available

Retain records regarding individual requests for a minimum of 6 (six) years

19 - Personnel Designations

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy for guidance on the duties and responsibilities of a Privacy Officer

3. Be sure to name/appoint your Privacy Officer in this policy, in writing

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy for guidance on the duties and responsibilities of a Privacy Officer

Be sure to name/appoint your Privacy Officer in this policy, in writing

20 - The Minimum Necessary Requirement

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Use this policy to understand the proper way to disclose PHI, by only providing another party with as little PHI on a ‘need to know’ basis

3. Refer to this policy for exceptions to when the Minimum Necessary Rule cannot be applied to a disclosure of PHI

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Use this policy to understand the proper way to disclose PHI, by only providing another party with as little PHI on a ‘need to know’ basis

Refer to this policy for exceptions to when the Minimum Necessary Rule cannot be applied to a disclosure of PHI

21 - Uses and Disclosures that are permitted by Privacy Rule, or permitted by Authorization

(This does not apply to Business Associates)

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy in order to understand when your Organization may be permitted to disclose PHI + the Individual’s authorization is not needed

3. Obtain verification of person’s Identity when able

4. Refer to this policy for when a designated personal representative may be in receipt of PHI, disclosed to them without SPECIFIC individual authorization for the specific case, or in the case of an emergency at staff’s best judgment

5. Refer to this policy in cases where a person may be trying to locate a family member, or learn of their death.

6. Refer to this policy for guidance on how and when to disclose PHI in the event of an emergency, or natural disaster in regards to PHI disclosure.

7. Refer to this policy for guidance on how to handle disclosure of PHI to BA’s

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy in order to understand when your Organization may be permitted to disclose PHI + the Individual’s authorization is not needed

Obtain verification of person’s Identity when able

Refer to this policy for when a designated personal representative may be in receipt of PHI, disclosed to them without SPECIFIC individual authorization for the specific case, or in the case of an emergency at staff’s best judgment

Refer to this policy in cases where a person may be trying to locate a family member, or learn of their death.

Refer to this policy for guidance on how and when to disclose PHI in the event of an emergency, or natural disaster in regards to PHI disclosure.

Refer to this policy for guidance on how to handle disclosure of PHI to BA’s

22 - Uses and Disclosures that are permitted without individual Authorization

(This does not apply to Business Associates)

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy to understand who has unlimited access too disclosure of PHI

3. Refer to this policy to understand the scope of Treatment, Payment or Operations in the context of authorization for disclosure of PHI

4. Refer to this policy to learn about a patient’s right to revoke authorization at any time

5. Required use of disclosure - Psychotherapy notes

6. Review this policy to learn about the minimum contents of an authorization form

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy to understand who has unlimited access too disclosure of PHI

Refer to this policy to understand the scope of Treatment, Payment or Operations in the context of authorization for disclosure of PHI

Refer to this policy to learn about a patient’s right to revoke authorization at any time

Required use of disclosure - Psychotherapy notes

Review this policy to learn about the minimum contents of an authorization form

23 - Privacy Policy

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy for a reminder of everything you do in the name of protecting PHI as pursuant to the HIPAA privacy rule.

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy for a reminder of everything you do in the name of protecting PHI as pursuant to the HIPAA privacy rule.

24 - Acceptable Use Policy

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy if ever you need to clarify what is permitted use of company owned equipment, email, or internet for business reasons

3. Refer to this policy for clarification on the way One would address the matter of keeping Company info confidential.

4. Refer to this policy for how One would address the matter or storing and deleting emails. For emails containing PHI, you should delete them if able, by 90 days.

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy if ever you need to clarify what is permitted use of company owned equipment, email, or internet for business reasons

Refer to this policy for clarification on the way One would address the matter of keeping Company info confidential.

Refer to this policy for how One would address the matter or storing and deleting emails. For emails containing PHI, you should delete them if able, by 90 days.

25 - Security Incident Response

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy for steps on setting up a plan for the event of a breach.

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy for steps on setting up a plan for the event of a breach.

26 - Disaster Recovery

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy in order to further understand what qualifies as a disaster

3. Utilize the steps found in this policy for how you will tailor your disaster recovery plan and make it unique to how your Org. Functions

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy in order to further understand what qualifies as a disaster

Utilize the steps found in this policy for how you will tailor your disaster recovery plan and make it unique to how your Org. Functions

27 - Facility Access Controls

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Please refer to this policy to understand physical, tangible safeguards One can implement at their Org. To protect PHI from unauthorized disclosure.

3. Please refer to this policy to learn more about who may access restricted areas, guidance on alarm systems and documentation/audit requirements for logging changes as time goes on.

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Please refer to this policy to understand physical, tangible safeguards One can implement at their Org. To protect PHI from unauthorized disclosure.

Please refer to this policy to learn more about who may access restricted areas, guidance on alarm systems and documentation/audit requirements for logging changes as time goes on.

28 - Ongoing Risk Assessment

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

On an annual basis, be sure to complete your Security Risk Assessment found within Accountable as per HIPAA Regulation.

29 - Data Integrity

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Coordinate with your IT group, or whomever is most apt to discuss technology in your Org., to ensure the integrity of data/PHI remains intact.

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Coordinate with your IT group, or whomever is most apt to discuss technology in your Org., to ensure the integrity of data/PHI remains intact.

30 - Data Backup and Storage

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Perform a backup of any critical systems daily

3. Refer to this policy for requirements/guidance on backing up data containing PHI

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Perform a backup of any critical systems daily

Refer to this policy for requirements/guidance on backing up data containing PHI

Be sure to document your backup efforts as well.

31 - Transmission Security

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Please refer to this policy for guidance on protecting PHI when data is in motion

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Please refer to this policy for guidance on protecting PHI when data is in motion

32 - Authentication Controls

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy for guidance on establishing unique user ID’s and passwords for employees accessing systems containing PHI.

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy for guidance on establishing unique user ID’s and passwords for employees accessing systems containing PHI.

33 - Workstation Security

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Refer to this policy for guidance on protecting ePHI in a physical, tangible sense.

3. Ensure to have automatic log-off enabled

4. Do not allow employees to download PHI onto any personal devices

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Refer to this policy for guidance on protecting ePHI in a physical, tangible sense.

Ensure to have automatic log-off enabled

Do not allow employees to download PHI onto any personal devices

34 - Encryption

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Whenever able, and however the Organization can, implement encryption for the safety of PHI you have been tasked with protecting

3. When considering encryption, remember to encrypt each device at the hard disk level via Settings, BitLocker (for PC), or FileVault on Mac OS

4. Smart phones, or IoT (Internet of Things) devices which will be accessing PHI, regardless of whether they are owned by the company or the employee, will implement the following safeguards -

   1. Either the use of a biometric like a fingerprint may be used to get beyond the Home Screen. In lieu of a biometric, there is the need to have a pin which is 6 (six) digits at a minimum to achieve this

   2. Double check under settings that the device is encrypted at the hard disk level

   3. In the event of device loss, Organization will install Remote Wipe to erase sensitive data accessible by any means to any PHI

5. Whenever able, email communications containing PHI will be encrypted

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Whenever able, and however the Organization can, implement encryption for the safety of PHI you have been tasked with protecting

When considering encryption, remember to encrypt each device at the hard disk level via Settings, BitLocker (for PC), or FileVault on Mac OS

Smart phones, or IoT (Internet of Things) devices which will be accessing PHI, regardless of whether they are owned by the company or the employee, will implement the following safeguards -

1. Either the use of a biometric like a fingerprint may be used to get beyond the Home Screen. In lieu of a biometric, there is the need to have a pin which is 6 (six) digits at a minimum to achieve this

Either the use of a biometric like a fingerprint may be used to get beyond the Home Screen. In lieu of a biometric, there is the need to have a pin which is 6 (six) digits at a minimum to achieve this

• Double check under settings that the device is encrypted at the hard disk level

Double check under settings that the device is encrypted at the hard disk level

• In the event of device loss, Organization will install Remote Wipe to erase sensitive data accessible by any means to any PHI

In the event of device loss, Organization will install Remote Wipe to erase sensitive data accessible by any means to any PHI

Whenever able, email communications containing PHI will be encrypted

35 - Audit Controls; System Alerts

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Set-up a method / mechanisms to track and record activity use in your Organization’s critical systems.

3. Audit Logs shall be maintained as further proof of an adverse event when one occurs, so be sure to keep an access record

4. Refer to this policy to understand how to configure System Alerts that automatically display when a breach occurs

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Set-up a method / mechanisms to track and record activity use in your Organization’s critical systems.

Audit Logs shall be maintained as further proof of an adverse event when one occurs, so be sure to keep an access record

Refer to this policy to understand how to configure System Alerts that automatically display when a breach occurs

36 - Access Rights

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

• Refer to this policy to understand how you will establish Role-Based Access, Assign and Disable User ID’s

Refer to this policy to understand how you will establish Role-Based Access, Assign and Disable User ID’s

37 - Device, Media and Hardware Controls

1. Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

2. Sanitize media before discarding or reusing that once contained PHI

3. Keep a well-maintained Data Inventory in Accountable

Make sure employees read this policy and attest to their understanding of it in order to comply with HIPAA regulation.

Sanitize media before discarding or reusing that once contained PHI

Keep a well-maintained Data Inventory in Accountable

Accountable Knowledge Base Home Page

Policy Mapping Document 

Dashboard Overview