HIPAA Compliance Policies & Procedures
HIPAA Services Menu: Compliance Forms | Risk Analysis | Personnel Training | Business Monitoring
4 HIPAA Documents You Should Have
Having everything documented is maybe one of the most challenging HIPAA aspects. Companies we speak with generally have policies that they abide by, but when we ask ‘is that documented?’ the answer is typically ‘no.’
Every policy, procedure or process that affects protected health information (PHI) needs to be documented. This ensures consistency across the agency and prepares you for an audit or investigation. At minimum you should have the following four documents.
Document 1: Disaster Readiness
The important part of your plan is that you have a way to recover all electronic PHI and keep it secure, even if a tornado hits your office. If a breach happens due to a tornado, you are still liable for penalties. This plan needs to be documented and should contain:
- Recovery time objectives – how often back-ups are done
- Maximum tolerable downtime – how long your business can be down
- Working recovery time – how long it takes to get everything running
- Primary decision makers and backups – who handles emergency decisions
- Emergency shutdown – procedures for shutting down systems
- Comprehensive plans for different situations, i.e.: tornado, flood or fire. – including notifications and meeting locations
Document 2: Incident and Breach Plan
This is your course of action for an incident or breach. The plan should encompass these steps:
- Analyze the incident, retrieve as many details as possible
- Go through HIPAA’s 4 identification factors to determine if it is a breach
- Notify all necessary individuals and companies
- Determine further actions steps and how you will prevent a similar breach from occurring
This document also generally includes a checklist or template notification letter.
Document 3: Change Log
HIPAA requires periodic reviews of access and activity. So having all these together provides a way to see how everything is working collectively. A Change Log or Change Document should track any and all changes to:
- Servers
- Workstations,
- Building security
- Mobile devices
GRA’s PHI365 service includes nearly 20 different template logs.
Document 4: Employee Handbook
An employee handbook details what employees need to know regarding HIPAA. This should incorporate details of the other three plans that are relevant to employees, such as:
- Where to meet for a fire or tornado
- Password requirements
- Importance of confidentiality
- Who to report breaches or suspicious of fraud to
- Retaliation protection for reporting breaches and fraud
These are only 4 of the 10 documents GRA Benefits Group provides. Through PHI365, we deliver customized documentation to move you toward HIPAA compliance. Contact us to learn more.