Service providers serving US and EU healthcare organizations — who store protected health information (PHI) and other personal data — are both HIPAA “business associates” and GDPR “processors” and are required to abide by both sets of regulations. These policy templates are designed specifically for service providers who provide cloud or hosted information systems, data analytics services, or other similar services.
Eagle Consulting’s HIPAA and GDPR policy templates will save you thousands in consulting fees…
Use Eagle’s HIPAA and GDPR policy templates to create one manual which will position you to:
- Increase sales with the strong HIPAA and GDPR compliance demanded by prospective customers.
- Impress customers with your responses to their audits and increase customer retention.
- Avoid crippling regulatory fines — random HIPAA audits are ongoing and HIPAA and GDPR fines are steep.
- Reduce anxiety knowing your organization is compliant with HIPAA and GDPR and follows best practices.
- Protect your organization from costly and embarrassing data loss.
- Reduce the risk of a financially devastating data breach.
Finally, there is an easy and affordable solution to the need for HIPAA and GDPR policies — comprehensive, customizable HIPAA and GDPR policy templates specifically for service providers. Eagle’s HIPAA and GDPR policy templates speed the process of HIPAA and GDPR compliance and help you increase security and avoid fines. Service providers subject to HIPAA and GDPR need policies regarding:
- the duty to report violations and security incidents,
- transparency regarding data practices,
- data subject rights,
- marketing and website compliance,
- lawfulness of processing under GDPR,
- data residency,
- breach reporting,
- pseudonymisation and anonymisation/de-identification,
- disaster recovery and emergency mode operation, among others.
All of these topics and more are covered in these policy templates!
These policy templates were built under the following assumptions, and modifications are likely needed if the following assumptions do not apply to your unique situation:
- Under GDPR, the organization adopting these policies will be a data “processor” for its clients who are EU healthcare providers, and the organization’s client will be a data “controller”.
- All data from EU healthcare organizations are maintained in a secure, EU-based data center.
- All sales, marketing and accounting information are transferred to a US data center
- Cross-border transfers are compliant with the Privacy Shield Framework
Download Today to Start Updating Your Policies & Procedures for Compliance
The following policies are included:
Policies For All Staff
1010 Privacy and Security – General Rules
1020 Data Classification and Privacy/Security Safeguards
1030 Confidentiality Safeguards (Oral & Written)
1050 Computer Usage
1060 Portable Computing Devices
1070 Employee Work at Home
1080 Duty to Report Violations and Security Incidents
Policies for Data Subject/Patient Rights
1200 Transparency Regarding Data Practices
1210 Data Subject Right of Access to Personally Identifiable Information
1220 Data Subject Right to Rectification
1230 Data Subject Right to Erasure
1240 Data Subject Right to Request restriction of Processing
1250 Complying with Patient HIPAA Rights
GDPR Compliance For Specific Situations
1410 GDPR – Sales, Marketing & Website Compliance
Access Control and Human Resources
1600 Employee System Access
1610 Employee/Contractor Recruiting and Termination
1620 Security Awareness Program
1630 Employee Sanctions
GDPR and HIPAA Compliance
2000 Security Officer, Data Protection Officer and EU Representative
2010 Data Protection by Design and Default
2020 Lawfulness of Processing and Purpose Limitation Under GDPR
2030 GDPR and HIPAA Notifications and Documentation
2035 Privacy-Shield Verification and Certification and GDPR Compliance Validation
2040 Data Residency, Cross-Border Transfers and Data Facility Security
2045 Complaint Resolution Under Privacy Shield
2050 GDPR Agreements – GDPR and Privacy Shield Compliance
2060 Business Associate Contracts – HIPAA Compliance
2070 Breach Reporting – GDPR
2080 Breach Reporting – HIPAA
2090 Disclosures Required by Law
Data Security and Privacy
3000 Security Management Process
3002 Passwords and Encryption Keys
3004 Pseudonymisation, De-identification, Anonymisation and Storage Limitation
3005 Data Backup
3010 Disaster Recovery Plan and Emergency Mode Operation
3015 Facility Security and Access Control
3020 Periodic Security Evaluation
3025 Audit Control and Activity Review
3030 Malicious Software Protection
3040 Security Awareness Program
3050 Device and Media Disposal and Re-Use
3060 Technical Safeguards
3062 Technical Controls for Mobile Devices
3090 Security Incident Response and Reporting
Appendix A – Identifying Business Associates
Appendix B – Sample HIPAA BAA – For Use with Subcontractors
Appendix B2 – Sample HIPAA BAA – For Use with Customers
Appendix C – Facility Security and Access Plan
Appendix D – Workforce Access to PHI and Safeguards
Appendix E – Miscellaneous
Appendix F – Disaster Recovery Plan
Appendix G – GDPR Lawfulness of Processing
[ORGANIZATION] HIPAA Disclosure Log
Employee-Owned Mobile Device Agreement
Company-Owned Mobile Device Agreement
The policy templates are approximately 90 pages and delivered in Microsoft Word format. Policy templates are in Microsoft Word format for easy customization and hyperlink functionality makes for a reader-friendly experience. Perpetual license is granted to the user to use and modify the policies for a single clinic. Policies may be used in hardcopy format, or electronically via your organization’s server. When used online, all staff have immediate access. On-line citations and references are included with full hyperlink functionality to allow quick access to the relevant HIPAA, GDPR, and/or various reference materials.