Using InstantSecurityPolicy.com to achieve HIPAA Compliance
By purchasing the Gold Security Package, you will receive an invaluable tool in your HIPAA compliance efforts. The Gold Package was designed to help businesses of all sizes comply with demanding security standards and regulations.Below you will find an overview of the HIPAA security and privacy standards, mapping each requirement to the policy that covers that requirement.
HIPAA is a very broad standard, so the information below includes only the required activities of the HIPAA rule. Other sections of the HIPAA standard, which include activities that are addressable, are typically covered by our policies but are not detailed below. In some cases the information below has been edited for brevity or clarity, so please refer to the final HIPAA standard for your compliance information.
4.1 Security Management Process (164.308(a)(1))
HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations.
Required Activities:
Conduct Risk Assessment
✓Covered by Incident Response Policy, section 4.7.1 Risk Assessment.
Implement Risk Management Program
✓Covered by Incident Response Policy, section 4.7.2 Risk Management Program.
Develop and Implement a Sanction Policy
✓Each policy includes an Enforcement section that covers sanctions for violations of each policy. A formal Sanction Policy should be developed in conjunction with your Human Resources & Legal Departments.
Develop and Deploy the Information System Activity Review Process
✓Covered by Network Security Policy, section 4.2.5 Log Review.
✓Covered by Network Security, section 4.2.4 Log Management.
✓Can be covered also by Network Security Policy, section 4.6 Intrusion Detection/Intrusion Prevention.
4.4 Information Access Management (164.308(a)(4))
HIPAA Standard: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.
Required Activities:
Isolate Healthcare Clearinghouse Functions
✓Covered by Confidential Data Policy, section 4.3 Security Controls for Confidential Data.
✓Covered by Network Security Policy, section 4.9 Network Compartmentalization.
4.6 Security Incident Procedures (164.308(a)(6))
HIPAA Standard: Implement policies and procedures to address security incidents.
Required Activities:
Develop and Implement Procedures to Respond to and Report Security Incidents
✓Covered by Incident Response Policy (multiple sections).
✓Covered by Network Security Policy, section 4.15 Suspected Security Incidents.
✓Covered by Acceptable Use Policy, section 4.21 Reporting of a Security Incident.
4.7. Contingency Plan (164.308(a)(7))
HIPAA Standard: Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence that damages systems that contain electronic protected health information.
Required Activities:
Data Backup Plan
✓Covered by Backup Policy (multiple sections).
Disaster Recovery Plan
✓Several policies, such as the Physical Security Policy and the Backup Policy, cover managing risks to IT assets from many types of disasters. However, a typical Disaster Recovery Plan touches on much, much more than IT systems and operations, and thus non-IT functions (such as staff coverage during a disease pandemic) are not addressed in our offering.
Develop and Implement an Emergency Mode Operation Plan
✓See Disaster Recovery Plan (above).
4.9. Business Associate Contracts and Other Arrangements (164.308(b)(1))
HIPAA Standard: A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.
Required Activities:
Written Contract or Other Arrangement
✓Covered by Outsourcing Policy, section 4.5 Outsourcing Contracts (as well as other sections).
4.13 Device and Media Controls (164.310(d)(1))
HIPAA Standard: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
Required Activities
Implement Methods for Final Disposal of EPHI
✓Covered by Confidential Data Policy, section 4.1.3 Destruction of Confidential Data.
✓Covered by Network Security Policy, section 4.8 Disposal of Information Technology Assets.
Develop and Implement Procedures for Reuse of Electronic Media
✓Covered by Confidential Data Policy, section 4.1.3 Destruction of Confidential Data.
4.14 Access Control (164.312(a)(1))
HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights
Required Activities:
Ensure that All System Users Have Been Assigned a Unique Identifier
✓Covered by Network Access and Authentication Policy, section 4.2 Account Use.
Establish an Emergency Access Procedure
✓Covered by Confidential Data Policy, section 4.5 Emergency Access to Data.
Please note that the information above maps the HIPAA requirements to the InstantSecurityPolicy.com policies that cover the requirement. As with any regulation, the procedures you put into place to enforce your policies are critical to your compliance.
We recommend that as you answer the questionnaire, you keep the HIPAA requirements in mind and answer the questions accordingly.
The Gold Security Package is a great source for policies to assist with HIPAA Compliance. You can view the details of the Gold package here.
The above information is based on interpretation by an experienced policy professional and is believed to be correct. Please note, however, that InstantSecurityPolicy.com is not in the business in dispensing legal advice and thus any policies generated should be reviewed for applicability to your specific situation.
