| TD: Policy and Procedures Implementation

Policy and Procedures Implementation, v1.0

Specifies the that a health care related organization must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart (Section 164.300-399), taking into account the organization's size, complexity, capabilities, the costs and risks associated with security, and other factors.

Assessment Steps (6)

1 Reasonable and Appropriate (ReasonableandAppropriate) Does the covered entity or business associate implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart (Section 164.300-399)? Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
2 Maintain Documents (MaintainDocuments) Does the covered entity or business associate maintain the policies and procedures implemented to comply with this subpart (Section 164.300-399) in written (which may be electronic) form? Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
3 Maintain Written Record (MaintainWrittenRecord) Does the covered entity or business associate, if an action, activity or assessment is required by this subpart (Section 164.300-399) to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment? Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
4 Retention Time Limit (RetentionTimeLimit) Does the covered entity or business associate retain the above required documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later? Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
5 Make Documentation Available (MakeDocumentationAvailable) Does the covered entity or business associate make documentation available to those persons responsible for implementing the procedures to which the documentation pertains? Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.
6 Periodically Review and Update Documentation (PeriodicallyReviewandUpdateDocumentation) Does the covered entity or business associate review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information? Artifact A1 Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) that support the assessor's response to this assessment step.

A covered entity or business associate must perform these requirements in accordance with Section 164.306 (Security standards: General rules).

Conformance Criteria (6)

Reasonable and Appropriate The covered entity or business associate must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart (Section 164.300-399), taking into account those factors specified in 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. Citations HIPAA-Security-Rule 45 CFR Section 164.316(a) HIPAA-Security-Rule 45 CFR Section 164.306
Maintain Documents The covered entity or business associate must maintain the policies and procedures implemented to comply with this subpart (Section 164.300-399) in written (which may be electronic) form. Citations HIPAA-Security-Rule 45 CFR Section 164.316(b)(1)(i) HIPAA-Security-Rule 45 CFR Section 164.306
Maintain Written Record The covered entity or business associate must, if an action, activity or assessment is required by this subpart (Section 164.300-399) to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. Citations HIPAA-Security-Rule 45 CFR Section 164.316(b)(1)(ii) HIPAA-Security-Rule 45 CFR Section 164.306
Retention Time Limit The covered entity or business associate must retain the above required documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later. Citations HIPAA-Security-Rule 45 CFR Section 164.316(b)(2)(i) HIPAA-Security-Rule 45 CFR Section 164.306
Make Documentation Available The covered entity or business associate must make documentation available to those persons responsible for implementing the procedures to which the documentation pertains Citations HIPAA-Security-Rule 45 CFR Section 164.316(b)(2)(ii) HIPAA-Security-Rule 45 CFR Section 164.306
Periodically Review and Update Documentation The covered entity or business associate must review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information Citations HIPAA-Security-Rule 45 CFR Section 164.316(b)(2)(iii) HIPAA-Security-Rule 45 CFR Section 164.306

Show Metadata, Sources & Terms

Hide Metadata, Sources & Terms

Metadata

Identifier

https://artifacts.trustmarkinitiative.org/lib/tds/policy-and-procedures-implementation/1.0/

Publication Date

2017-02-17

Issuing Organization

Trustmark Initiative (https://trustmarkinitiative.org/) View Contact

Trustmark Support

help@trustmarkinitiative.org

555-555-5555

No Mailing Address

Keywords

Health Care, HIPAA Security

Issuance Criteria

yes(ALL)

Target Stakeholder

Health care related organizations that use protected health information (PHI) in a manner that is subject to regulations in the Health Insurance Portability and Accountability Act (HIPAA).

Target Recipient

Health care related organizations that want to demonstrate that they use, disclose, process and store protected health information (PHI) in a manner that complies with HIPAA regulations 45 CFR Parts 160 - 164.

Target Relying Party

Health care related organizations and individuals that require their trusted partners' privacy and security policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA).

Target Provider

Organizations that audit or evaluate health care related organizations for compliance with privacy and security policies and procedures in the Health Insurance Portability and Accountability Act (HIPAA).

Provider Eligibility Criteria

Any organization or business entity may act as a Trustmark Provider for trustmarks under this Trustmark Definition.

Assessor Qualifications

Any individual employed or contracted by the Trustmark Provider may act as the assessor for trustmarks under this Trustmark Definition.

Trustmark Revocation Criteria

For any trustmark issued under this Trustmark Definition, the Trustmark Provider must revoke the trustmark upon any condition whereby one or more Conformance Criteria cease to be satisfied.

Extension Description

This Trustmark Definition requires no extension data.

Legal Notice

This artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an "AS IS" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.

Sources (1)

HIPAA-Security-Rule	HIPAA Security Rule, published by U.S. Dept of Health and Human Services, HIPAA Administrative Simplification Regulation Text (March 2013) 45 CFR Part 160 and Part 164 Subparts A (164.100 - 164.199) and C (164.300 - 164.399), available at http://www.hhs.gov/hipaa/for-professionals

Terms (7)

Term Name	Abbreviations	Definition
Business Associate	BA	Covered entities engage "business associates" to work on their behalf. A business associate is a person (not part of the workforce of the covered entity) or organization that creates, receives, maintains, or transmits protected health information on behalf of the covered entity. Covered entities must have contracts or other arrangements in place with their business associates to ensure that the business associates safeguard protected health information, and use and disclose the information only as permitted or required by the Privacy Rule. A covered entity may be a business associate of another covered entity.
Covered Entity	CE	The Administrative Simplification provisions of HIPAA apply to three types of entities, which are known as "covered entities": 1) health care providers if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard, 2) health plans, and 3) health care clearinghouses. A covered entity may be a business associate of another covered entity.
Disclosure		Disclosure means the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.
Electronic Protected Health Information	e-PHI	Electronic protected health information means protected health information (PHI) that is transmitted by electronic means or maintained in electronic media.
Health Insurance Portability and Accountability Act of 1996	HIPAA	The HIPAA law includes Administrative Simplification provisions that require adoption of national standards for electronic health care transactions and code sets, unique health identifiers, and security. Additionally, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.
Protected Health Information	PHI	Protected health information (PHI) means "individually identifiable health information" that is transmitted by electronic means or maintained in electronic media or transmitted or maintained in any other form or medium, except it excludes individually identifiable health information: In education records covered by the Family Educational Rights and Privacy Act; In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); In employment records held by a covered entity in its role as employer; Regarding a person who has been deceased for more than 50 years. HIPAA rules protect most PHI held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. PHI is information, including demographic information, which relates to the individual's past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual. For example, PHI includes name, address, birth date, Social Security Number, a medical record, laboratory report, or hospital bill. However, reporting or aggregating data that cannot be used to individually identify a person would not be considered PHI.
U.S. Department of Health and Human Services	HHS	The U.S. Department of Health and Human Services' (HHS) mission is to enhance and protect the health and well-being of all Americans by providing for effective health and human services and fostering advances in medicine, public health, and social services.

Also available as XML or JSON