Policy And Procedure On The Handling Of Privacy: Fill & Download for Free

Yes — and no.Yes, all of the major cloud service providers will agree to execute what’s called a Business Associate Agreement with Covered Entities in healthcare for the purpose of providing security under terms of HIPAA’s Privacy and Security Rules.BUT …All of those terms …Business Associate AgreementCovered EntitiesPrivacy and Security Rules… and many more, are legally defined terms that everyone who deals with Personal Health Information (PHI — also a legal term) should understand completely.… AND … it’s also important to understand that in this context, there is no “HIPAA Compliance,” because there is no certification process that issues stamps or badges of “HIPAA Compliance.”BEWARE OF ANY COMPANY THAT ADVERTISES OR PROMOTE THEIR SERVICE AS “HIPAA COMPLIANT.”The Privacy and Security Rules are what constitute adherence to HIPAA regulation, but these are policies and procedures designed to secure PHI — wherever it resides — and are much broader than just hardware/software technologies (like data encryption).There are independent, 3rd party audit firms that specialize in auditing security policies and procedures that go well beyond just ensuring that data is encrypted and technically secure. These audits are often done annually — and are expensive. The deliverable is a report that highlights strengths and weaknesses in all the policies and procedures for handling PHI data.Organizations that handle PHI at scale (like cloud service providers) should be able to produce such an audit report — and it should be recent. Many won’t — and that’s a big red flag — mostly associated with smaller companies that can’t (or won’t) afford a 3rd party audit.Given the liability it may be necessary to sign a non-disclosure with a BAA partner to see an audit report — and even that may not be sufficient for BAA partners to share their report. There is no legal obligation for them to share an audit report, and in the end, the BAA is the legally binding contract for data liability. It’s the BAA that should be carefully reviewed by competent legal counsel (preferably trained in healthcare law) before execution.See also: Is Anyone Really 'HIPAA Compliant' In Healthcare?

There is no “HIPAA” compliance because there’s no “certification” body. HIPAA isn’t like UL Listed with a great logo to match.The fact is, there is no governing body that reviews hardware, software or connections as part of process to “certify” HIPAA compliance.HIPAA is a set of rules that every organization must adhere to for the protection of patient health information. Passed in 1996, HIPAA stands for Health Insurance Portability and Accountability Act and there are two "rules" that apply to healthcare entities that handle Protected Health Information (PHI).The first is the Privacy Rule ‒ and the second is the Security Rule. These two rules work together to outline what Health and Human Services (HHS) requires as policies and procedures for handling PHI in all its forms (paper, electronic, images etc…).Who enforces these two “rules?” The Office of Civil Rights (OCR) under HHS is chartered with enforcing HIPAA and can leverage criminal and civil penalties for violations that occur with either "covered entities" or their partners as "business associates" ‒ both of which are defined legal terms.In the context of selling hardware (like Mac’s, PC’s, Tablets, Smarphones etc), Independent Hardware Vendors (IHV’s) are not considered to be either a “covered entity” or a “business associate,” so they don’t fall directly under the two rules of HIPAA. The same holds true for most Independent Software Vendors (ISV’s) as well.Now, how hardware and software is implemented (and all the policies and procedures around that) are what the two rules really govern.While there is no single authority or governing body for "HIPAA Compliance," there is a rigorous and formal process for establishing best practices around privacy and security specifically for PHI data.Implementing and adhering to these rigorous policies and procedures can and logically should be certified by a 3rd party organization that is neutral and qualified to assess the policies and procedures compared to best industry practices and benchmarks. Firms offering HIPAA specific audits (for adherence to the privacy and security rules of HIPAA) are typically CPA firms that offer both the audit and attestation service as an annual process. In healthcare, these audit protocols are well defined by the OCR.It's really critical for any healthcare software or services business to understand that without a 3rd party audit by a CPA firm following AICPA standards - they really have no idea how strong their privacy and security practices are. If there's ever a breach - the whole business is at risk for not only the breach, but the penalties associated with the breach, the recovery and the remediation. The smaller the healthcare company, of course, the harder it is to make all these commitments - which includes the cost of an annual 3rd party audit and attestation. David Barton ‒ Managing Director, UHY LLPThe trouble is — this type of annual commitment for “attestation” is expensive, so many ISV’s and IHV’s don’t bother with the expense and simply announce that they are “HIPAA Compliant.” Since there is no such thing, this only serves to add to the confusion and this is unfortunate because breaches of health data (PHI) is on the rise.Is Anyone Really 'HIPAA Compliant' In Healthcare? 2014

Minimum Necessary is the process that is defined in the HIPAA regulations:When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.The purpose of the Minimum Necessary Policy is to provide policies and procedures on the “minimum necessary” of Protected Health Information (PHI) as required by the HIPAA Privacy Regulations. It is to establish guidelines to implement the minimum necessary standard and to determine how the standard impacts the use, disclosure and request of PHI.This policy and procedure will have generalized policies and procedures that can be associated with organizations. For some of those organizations that have only a small number of the workforce disclosing the PHI or handling the PHI, some of the policy and procedures in this document may not be necessary.