Templates 
HIPAA Compliance
HIPAA Compliance
HIPAA Compliance
This template goes through common steps for HIPAA compliance. Things such as establishing the necessary security roles in your organization as well as assessments and training.
HIPAA Compliance
This diagram was created on Feb 19, 2021 8:33 PM and was last updated Mar 8, 2021 9:36 AM.
1.
Designate a Compliance, Security & Privacy Officer
Designate a Compliance, Security & Privacy Officer
You must first designate a Compliance, Security & Privacy Officer for your organization. - Compliance Officer: is responsible for developing compliance & training programs as well as managing business associate agreements. - Security Officer: is responsible for compliance with the Administrative, Physical and Technical Safeguards of the Security Policies. - Privacy Officer: is responsible for developing a HIPAA-compliant privacy program, oversee ongoing employee privacy training, conduct risk assessments and develop HIPAA-compliant procedures where necessary.
2.
Conduct Security Risk Assessment
Conduct Security Risk Assessment
Following the NIST Guidelines, conduct a Security Risk Assessment on your organization. A risk assessment helps reveal areas where your organization’s protected health information (PHI) could be at risk.
3.
Conduct Privacy Assessment
Conduct Privacy Assessment
Conduct a Privacy Assessment on your organization. Identify and mitigate risks, including risks to confidentiality, at every stage of the system life cycle.
Linked from2. Conduct Security Risk Assessment
4.
Conduct Administrative Assessment
Conduct Administrative Assessment
Conduct an Administrative Assessment and evaluate what policies does your organization currently have in place to ensure the security of PHI.
Linked from3. Conduct Privacy Assessment
5.
Document all deficiencies from assessments
Document all deficiencies from assessments
Create a document that itemizes all of the deficiencies from the following: - Security Risk Assessment - Privacy Assessment - Administrative Assessment
Linked from7. Have all deficiencies been identified and documented?and 1 more
Links to6. List of Deficiencies
6.
List of Deficiencies
List of Deficiencies
This is a document of all the deficiencies from the following: - Security Risk Assessment - Privacy Assessment - Administrative Assessment
7.
Have all deficiencies been identified and documented?
Have all deficiencies been identified and documented?
Have you identified all deficiencies discovered during the audits? Have you documented all deficiencies?
Linked from6. List of Deficiencies
8.
Create remediation plans to address deficiencies
Create remediation plans to address deficiencies
Using the deficiencies from the audits, create remediation plans to address the deficiencies for the following: - Security Risk Assessment - Privacy Assessment - Administrative Assessment
Links to9. Remediation Plan
9.
Remediation Plan
Remediation Plan
Remediation Plan that addresses the deficiencies in the following audits: - Security Risk Assessment - Privacy Assessment - Administrative Assessment
10.
Develop Policies & Procedures for Privacy, Security & Breaches
Develop Policies & Procedures for Privacy, Security & Breaches
Create Policies and Procedures relevant to the HIPAA Privacy, Security, and Breach Notification Rules.
Linked from9. Remediation Plan
Links to11. Policies & Procedures
11.
Policies & Procedures
Policies & Procedures
Document the Policies & Procedures for HIPAA Privacy, Security and Breach Notification Rules.
12.
Communicate the Policies & Procedures
Communicate the Policies & Procedures
Make your Policies & Procedures clearly available to everyone in your organization. Take time to review the Policies & Procedures with your staff.
Linked from11. Policies & Proceduresand 1 more
13.
Attestation to Policies & Procedures?
Attestation to Policies & Procedures?
Have all staff members read and attested to the Policies and Procedures?
Linked from12. Communicate the Policies & Procedures
Links to14. Document Attestation
14.
Document Attestation
Document Attestation
Document the Attestation to Policies & Procedures from all staff members.
15.
Attestation to Policies & Procedures
Attestation to Policies & Procedures
This is the document of everyone staff member's Attestation to the Policies & Procedures.
Linked from14. Document Attestation
16.
Develop a Compliance & Training Program
Develop a Compliance & Training Program
Develop a Compliance & Training program that makes it clear for everyone in your organization what your policies are and how to remain compliant. Training materials should also provide a more comprehensive overview of HIPAA compliance.
Linked from15. Attestation to Policies & Procedures
17.
Compliance & Training Program
Compliance & Training Program
This is the document for your organization's Compliance & Training Program.
Linked from16. Develop a Compliance & Training Program
18.
Perform Annual HIPAA Training
Perform Annual HIPAA Training
Require all staff members perform an Annual HIPAA Training based on your Compliance & Training program.
Linked from17. Compliance & Training Program
Links to19. Training Certificate
19.
Training Certificate
Training Certificate
Require certificates for completion of your organization's HIPAA Training.
Linked from18. Perform Annual HIPAA Training
20.
Establish Business Associate Agreements
Establish Business Associate Agreements
The HIPAA Privacy Rule requires all Covered Entities to have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI. Establish any entity in which you have a business association and require a signed BAA.
21.
Audit Business Associates and ensure they are HIPAA compliant
Audit Business Associates and ensure they are HIPAA compliant
Perform an audit on all of your BAs to ensure that they are HIPAA compliant.
Linked from20. Establish Business Associate Agreements
22.
Business Associate Agreements
Business Associate Agreements
This is the document for all signed BAAs.
23.
Develop a process for incidents or breaches
Develop a process for incidents or breaches
Develop a process for investigating minor or meaningful incidents or breaches. This should include the necessary steps for performing an investigation and how to document and report the incident or breach.
24.
Do you have a process in the event of incidents or breaches?
Do you have a process in the event of incidents or breaches?
Do you have the ability to track and manage the investigations of all incidents? Are you able to demonstrate that you have investigated each incident? Are you able to provide reporting of minor or meaningful breaches or incidents? Do your staff members have the ability to anonymously report an incident?
25.
Process Documentation for Incidents or Breaches
Process Documentation for Incidents or Breaches
This is the documentation of the process for an incident or breach. This document should describe the necessary steps to perform an investigation and how to document the report.
Linked from23. Develop a process for incidents or breachesand 1 more
Links to26. Anonymously report incident
26.
Anonymously report incident
Anonymously report incident
Do your staff members have the ability to anonymously report an incident? This is an example of a staff member anonymously reporting an incident.
Links to27. Anonymous Incident Report
27.
Anonymous Incident Report
Anonymous Incident Report
This is the document that represents an anonymous incident report of a minor or meaningful breach or incident.
Linked from26. Anonymously report incident
Links to28. Investigate the Incident
28.
Investigate the Incident
Investigate the Incident
Track and manage the investigation of the incident and document the steps you have taken for the investigation.
29.
Investigation Report of minor or meaningful breach or incident
Investigation Report of minor or meaningful breach or incident
This is the document of your Investigation Report of the breach or incident.
Linked from28. Investigate the Incident
