Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau Vermieter Rechtsschutz Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich
tableofcontents.htm   start.htm   securitysectiontwo.htm   securitysectionthree.htm   securitysectionone.htm   securitycategories.htm   references.htm   privacysectiontwo.htm   privacysectionthree.htm   privacysectionone.htm   privacysectionfour.htm   privacysectionfive.htm   privacycategories.htm   jobdescriptions.htm   introduction.htm   index.htm   hipaatrifold.htm   hipaasuppliment.htm   hipaaresources.htm   hipaaexecsummary.htm   guidelinesorganization.htm   generalpolicyguidelines.htm   generalcategories.htm   definitions.htm   contractsandpolicies.htm   contact.htm   amchipaasecurityandprivacyguidelines.htm   acronyms.htm   acknowledgements.htm  
Page 1
AMC General Policy and Management Guidelines
Category I and II Guidleines
GEN.01 Roles and Responsibilities in Development and
Maintenance
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Establish a formal HIPAA security and privacy
compliance program.
.
Enlist external consultants.
.
Push responsibility down to line management.
.
Designate a responsible executive.
.
The coordinator should cultivate a small, informal group
of advisors from among those
people whose current roles give them a significant stake in
how the HIPAA development
process is structured (e.g. risk managers, internal auditors,
accreditation managers, health
information managers, senior IT managers, senior clinical
operations managers, counsel).
.
Appoint a Security Officer and a Privacy Official after
the awareness phase for senior and
middle managers is mature.
.
Require regular reporting to senior management on the
status of the development effort
during the awareness phase. Continue with a reporting
format appropriate to the planning
and execution phases.
.
Organize around the idea that HIPAA is a compliance
project with strong implications
for clinical operations, IT activities, and business relations.
Appointments and processes
should respect this concept.
.
Establish a set of guidelines for use by the covered
entity's management in forming
HIPAA-compliant operations. Use these as a common
reference in decision-making
related to HIPAA.
.
Develop the HIPAA program models that include
managers' involvement in ways that
will aid each manager's role with HIPAA. Be sure to
actively involve managers from the
research, education, and clinical care areas of the covered
entity.
GEN.02 Organizational Support for HIPAA Security
and Privacy Compliance
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Demonstrate executive management commitment to
compliance with the HIPAA security
and privacy requirements.
.
Provide a contact who can assist line management with
compliance activities.
.
Implement accountability for failure to participate in
compliance activities.
.
Establish a HIPAA security and privacy compliance
reporting program; require
compliance reporting on a regular basis.
.
Educate line management on the importance of HIPAA
security and privacy compliance,
executive management's commitment to compliance, and
the consequences of noncompliance.
Consider tracking participation in this education program.
Page 2
AMC General Policy and Management Guidelines
Category I and II Guidleines
.
Include HIPAA security and privacy compliance in line
management performance
criteria.
.
Establish and publicize sanctions for failing to participate
in compliance activities.
GEN.03 Resources for Development and Maintenance
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Use existing resources to scope effort and cost.
.
Use an incremental funding model.
.
Pay attention to the principles of reasonability and
scalability when forming budget
estimates.
.
Investigate minimal compliance.
.
Investigate cost recovery specific to the regulatory
mandate.
.
Consider non-monetary costs.
.
Compare with the cost of non-compliance, including
non-monetary costs.
.
Treat HIPAA security and privacy resource requests as
part of the normal budget process.
GEN.04 Evaluation and Monitoring of Development
and Maintenance
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Establish a governing body for evaluation and
monitoring, to guide implementation, and
to review compliance.
.
Provide consistent guidelines for HIPAA security and
privacy compliance across the
covered entity.
.
Forward progress reports up the covered entity's
management chain.
.
Formally recognize when work moves from
"development" to "operations."
.
Make line executives responsible for compliance
oversight.
.
Tie compliance to formal audit and/or accreditation
processes.
.
Consider the use of an automated tool to capture
compliance activity.
Roadblocks
No roadblocks specific to this point.
GEN.05 Reasonableness
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Use cost and feasibility studies to assess reasonableness.
.
Conduct risk analysis to assess the reasonableness of
compliance measures.
.
Benchmark against similar covered entities and network
with peers.
.
Obtain advice of counsel on policies and procedures.
.
Evaluate and monitor functions to ensure the
Page 3
AMC General Policy and Management Guidelines
Category I and II Guidleines
reasonableness of compliance measures.
.
Encourage internal consistency of practices.
.
Document justifications of reasonableness decisions.
.
Establish an effective remedial action process; such a
process may be considered
evidence of reasonableness.
.
Obtain certification of security procedures; doing so may
be considered evidence of
reasonableness.
GEN.06 Scalability
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Tie the justification of selected practices and safeguards
to risk analysis.
.
Define your covered entity, its boundaries, and its scope.
.
Consider organizational size, assets, and capabilities in
determining the reasonableness of
proposals for meeting the HIPAA security and privacy
program.
.
Benchmark recommendations of risk analysis efforts
against peers.
GEN.07 Limiting Liability Arising from Compliance
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Formulate liability mitigation procedures for internal
audit and critical self-analysis
findings.
.
Consider the use of attorney-client and other privileges to
reduce liability.
.
Document and follow effective problem correction
procedures.
.
Benchmark industry best practice and regulatory
standards to establish conformance to
standards of best practice and due care.
.
Use a formal compliance program as a mitigating factor.
.
Document timeliness of response to reported problems as
a mitigating factor.
.
Consider whether certification of the covered entity's
security system is a mitigating
factor.
.
Involve the covered entity's legal counsel in the design
of liability reduction measures.
.
Use the security system to protect the confidentiality of
information that might create
liability.
.
Review IRB processes in relation to privacy and security
incidents.
GEN.08 HIPAA Accreditation Intersections
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Compile a comparison list of conflicting rules.
.
Encourage boards, joint commissions, etc., to take public
positions on conflicts and
Page 4
AMC General Policy and Management Guidelines
Category I and II Guidleines
eliminate them.
.
Determine whether HIPAA compliance eliminates the
need for compliance to some other
regimes.
.
Encourage development of reciprocity agreements among
regimes.
GEN.09 Stricter State Law § 160.203
Category I Guidelines-Actions must be taken to address
these
.
Determine when the federal floor for a particular
situation is superseded by state law or
regulation.
Category II Guidelines-Actions should be taken to
address these
.
Participate in statewide consortia that will provide
guidance on when the federal floor for
a particular regulation is superseded by state law or
regulation. This is an opportunity to
build consensus and reduce uncertainty and confusion
while constraining costs.
.
Obtain advice from counsel when there are potential
issues related to the application of
state law.
GEN.10 Policy establishment and modification
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Choose the covered entity's structure and affiliate
relationships carefully where flexibility
in defining covered entity structure exists.
.
Encourage independent policy formulation authorities to
work together on HIPAA
security and privacy policy development and
implementation.
.
Use existing policy formulation and implementation
processes and agreements wherever
possible (human resources processes, union contracts,
etc.).
.
Consider requiring specific policies and procedures in
contracts if necessary.
GEN.11 Policy Usage Introduction
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Justify policies by explaining how they benefit the
covered entity and its customers.
.
Emphasize the risks of non-compliance.
.
Model security and privacy policy deployments on
previous successful policy
deployments within the covered entity. Look specifically
at human resources policy
introduction processes.
.
Require and keep records of workforce members'
acknowledgement that they have
received and understood security and privacy policy.
.
Examine policy compliance during risk assessment and
accreditation; implement
corrective actions if necessary.
.
Consider pilot policy deployments and adjust broader
Page 5
AMC General Policy and Management Guidelines
Category I and II Guidleines
deployment plans based on the
results of the pilots.
GEN.12 Privacy Culture
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Have senior management set clear expectations.
.
Ensure that role models set a good example.
.
Provide feedback on security and privacy behavior.
.
Publicize the application of sanctions.
.
Incorporate consumer perceptions, expectations, and
suggestions into the curriculum.
.
Hold collegial discussions.
.
Incorporate security and privacy in the curriculum (to
build good habits early).
.
Provide orientation training in terms of the expected
culture of privacy, and establish and
enforce policies dealing with transgressions.
GEN.13 Digital Signature
Category I Guidelines-Actions must be taken to address
these.
None; this section is advisory only.
Category II Guidelines-Actions should be taken to
address these
.
Anticipate and plan for participation in a PKI.
.
Actively follow and participate in the development of
digital signature standards through
ANSI HISB and ANSI accredited standards development
organizations.
.
Plan for, budget for, and educate workforce members on
the technology and use of digital
signatures.
.
Plan for, and adopt/develop certificate policies for, PKI
and digital signatures. These
policies should include granting, suspending, and revoking
certificates, and assuring
interoperability.
.
Plan to replace proprietary electronic signatures with an
interoperable standards-based
digital signature.
.
Consider developing limited near-term digital signature
pilots.
GEN.14 Other Federal Law and HIPAA Privacy
Category I Guidelines-Actions must be taken to address
these.
.
Align the AMC's privacy program to be consistent with
the intersecting demands of other
federal laws related to privacy practices.
Category II Guidelines-Actions should be taken to
address these
.
AMCs should ensure that the program managers in the
areas affected by the intersecting
(e.g. the Benefits group that handles the ERISA plan) are
part of the HIPAA program
team.
.
AMCs should consider offering protections that comply
with FERPA and HIPAA, even
where not required to do so, to student health records
within the student health clinics,
educational administration, and other clinical facilities
(e.g. the AMC's local hospital).
Doing so will avoid having to interface multiple protection
Page 6
AMC General Policy and Management Guidelines
Category I and II Guidleines
standards for the same person
and sometimes even the same episode of care.
.
AMCs should seek advice from their legal counsels with
respect to these intersecting
laws.