THESE ARE POLICIES AND PROCEDURES and STANDARD PRACTICES YOUR PROGRAM NEEDS
Checklist 2025
COMPLIANCE 2025
WHAT YOUR HEALTHCARE COMPANY MUST HAVE IN ITS COMPLIANCE PROGRAM
POLICIES AND PROCEDURES
Each part of your healthcare compliance program needs to meet certain requirements which have been provided by the Office of Inspector General (OIG). Your HIPAA Policies and Procedures need to contain specific language which is explained below.
HIPAA USE and DISCLOSURE OF PHI POLICY
This policy needs to demonstrate how your company handles the disclosure of PHI as well as the Use. Explanations should be covered for contractors, vendors, all employees within your company and outside agencies.
HIPAA USE TO THE INDIVIDUAL POLICY
This policy explains how the use of HIPAA related information applies to the individual or patient involved. This policy needs to specific in its language addressing all of the uses which are in operation. These uses may change with time and need to be updated to include the most current information. It’s important to review this policy annually so that it meets current day industry standards.
HIPAA AMMENDMENT TO PHI POLICY
If there are amendments to PHI which you as a healthcare company provide, it must be recorded and documented. This policy should address how that process is completed and what the requirements are for completion.
HIPAA AUTHORIZATION FOR USE POLICY
Authorization requirements must include details of what authorization requirements are in place to ensure the protection of any PHI and ePHI.
HIPAA DISCLOSURE FOR TPO POLICY
This policy must address the standards you have in place regarding TPO/Treatment Payment and Operations, what qualifies as meeting these standards.
HIPAA BREACH NOTIFICATION POLICY
This policy must explain in detail the OCR/Office of Civil Rights standards for a breach notification and how your company responds in the event of a breach.
HIPAA DESIGNATED RECORD SET POLICY
This policy must explain what constitutes a designated record set within your company. Items can include medical and billing records and other PHI containing documents. It also needs to provide a list of what is excluded.
HIPAA MINIMUM USE POLICY
This policy needs to explain what minimum use is and how it affects those who have access to PHI and ePHI. The explanation should include how minimum use applies to specific levels of access based on the responsibilities of job roles within your company.
HIPAA MITIGATION POLICY
This policy must explain the procedures you have in place when the improper use or disclosure of PHI occurs and what steps your company will take to mitigate any harmful effects.
HIPAA NON RETALITATION
This policy must explain how your company will not retaliate against any individual for reporting a HIPAA compliance violation. Detailed examples of reporting violations should be explained.
HIPAA PRIVACY TRAINING POLICY
This policy should explain your training provisions for all employees along with the frequency and requirements of this training.
HIPAA SANCTIONS POLICY
This policy should explain the sanctions imposed on any employees who fail to comply with the HIPAA policies and procedures along with examples of what are considered sanction violations
ACCOUNTING OF DISCLOSURES POLICY
Any time PHI is provided to any outside agencies it must be accounted for and documented. This policy needs to address every disclosure of data which could either be PHI, ePHI, or III which could be considered at risk.
DATA GOVERNANCE POLICY
This policy will provide data management and data governance standards including governance structure for data access, data usage, data integrity and consequences of noncompliance.
DATA ACCESS POLICY
This policy will outline the access controls and standards you have in place for managing access. Protocols will be provided which protect all forms of data within your company including data which is created, stored or transmitted in any way.
NOTICE OF PRIVACY
This policy will include several key components such as notice of privacy practices, duties which are required by law, how information will be used and in what capacity, governmental disclosures, and authorization for disclosures
SYSTEM AND DATABASE SECURITY POLICY
This policy will provide descriptions of how protection is provided for all information assets along with standards of system administration, database controls, malicious software protection, configuration, backup and recovery and audit log security
SECURITY VULNERABILITY MANAGEMENT
This policy will provide vulnerability management description including how security reviews are completed, description of system security reviews (external, internal, penetration testing) and designation of responsibilities.
RISK MANAGEMENT POLICY
This policy will address standards for risk management, security control measures in place, access controls, encryption, change management, monitoring systems, contingency planning, and training.
ACCESS CONTROL POLICY
This policy will address Information Security and Access for all systems, network devices and databases. It will include the designation of security officer and outline user access along with formal access requests, access change and access termination.
SECURITY VULNERABILITY MANAGEMENT POLICY
This policy will address standards in place including risk management reviews, security monitoring, vulnerability management, patch management and system security reviews.
ENCRYPTION POLICY
This policy will address standards in place which include strong cryptography and encryption techniques such as SSL, TLS, IPsec in order to protect and safeguard data transmission over internet and wireless networks.
In addition to policies and procedure requirements for your compliance program, there are many other pieces which need to be in place so that you and your healthcare company are demonstrating a fully functional compliance program. Having these items in place will prove to government entities such as the OIG that you take compliance seriously and have implemented the required standards across your business.
SECURITY RISK ASSESSMENT
The SRA/Security Risk Assessment must be completed annually and you must have records which indicates this is done consistently within your company. The SRA is meant to assess risk related to the security of data, specifically PHI and ePHI. This tool requires significant manpower to complete correctly which is why some consulting companies charge $100K to complete it.
The SRA will take each data asset that you have within company and complete a formal risk analysis on each. All data assets which create, store or transmit PHI and ePHI will be quantified against the likelihood of risks. Once this is scored and documented a solution must be provided for those items deemed as high risk.
Those items which are scored as high risk will require a solution immediately. This process can be lengthy but it is a mandate by the Office of Civil Rights/OCR which is the government entity responsible for enforcement and penalties associated with HIPAA breaches.
BAA POLICY
This policy will provide how and when the Business Associate Agreement is to be used, explanation of the covered entity and business associate, requirements of signature and an example of the actual Business Associate Agreement which will include language to address HITECH, ePHI, time frame of coverage for the BAA and signature requirements.
DESIGNATING CHIEF OF COMPLIANCE AND PRIVACY OFFICER
The OIG/Office of Inspector General provides details of what a compliance program for a healthcare company needs to contain. One of those details is the designation of a Chief Compliance Officer and Chief Compliance Officer. The best-case scenario is to hire this individual or individuals to focus solely on compliance within your company. However, depending on the size of your healthcare company and budget availability, this may or may not be possible. One option is hiring a consulting agency to run this for your company such as HIPPOMT. This option is usually much cheaper than hiring a full-time compliance officer. See the Consultant page.
Beware of assigning this role to someone with little or no qualifications within your company as this can often result in more problems.
If you would like DLS Consulting to help you with any of your compliance, privacy or security needs please contact us at 9403731283