HIPAA Policies and Procedures Designed for Information Technology Companies (Business Associates)
These policies are designed to meet the regulatory requirements of Information Technology companies who provide software or services to healthcare organizations including physician practices, hospitals, insurance plans, other HIPAA covered entities and other Business Associates. This includes IT consultants, Managed Services companies, Value-added Resellers and software authors offering medical or insurance software and other IT service providers (Note that we have a separate set of policies for Cloud Computing Vendors!). Under the HIPAA regulations, Information Technology companies who serve covered entities and business associates are HIPAA Business Associates themselves! Therefore, these IT companies are obligated to have certain written policies and procedures. All policies are compliant with the HITECH Act of 2009, the Breach Notification Rule, and the HIPAA Omnibus Rule published in January 25, 2013.
These policies are completely different from policies designed for medical practices, hospitals or insurance companies. They are specifically built based on the business and services provided by IT organizations who serve covered entities. The benefits of using these policy templates include:
- Quickly bring your technology into compliance with HIPAA rules for business associates
- Saves you $1000’s in consulting fees
- Ability to customize using Microsoft Word based on unique requirements of your business
- Satisfaction is guaranteed by Eagle Consulting Partners, a leading consultant for IT security policies in healthcare
Your organization is subject to both civil and criminal penalties for non-compliance. That’s right. In 2016, the first-ever random audits of HIPAA Business Associates began. Penalties can soar into the millions of dollars, which makes HIPAA one of the toughest sets of government regulations. The 4 tier penalty structure is as follows: (see PDF)
- Did not know and, by exercising reasonable diligence, would not have known of the violation: Penalty ranges from $100 to $50,000 per violation and up to $1.5 million for identical violation per year.
- Violation due to reasonable cause and not willful neglect: $1,000 to $50,000 per violation;
Up to $1,500,000 per identical violation per year.
- Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew or should have known of the violation: Mandatory fine of $10,000 to $50,000 per violation;
Up to $1,500,000 per identical violation per year.
- Violation due to willful neglect, and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation: Mandatory fine of not less than $50,000 per violation; Up to $1,500,000 per identical violation per year.
POLICIES FOR ALL STAFF
1000 Definitions for HIPAA Regulations and HIPAA Policies
1010 Confidentiality and Security – General Rules
1020 Minimum Necessary Policy
1030 Confidentiality Safeguards (Oral & Written)
1050 Computer Usage
1060 Portable Computing Devices and Home Computer Use
1080 Duty to Report Violations and Security Incidents
POLICIES FOR ADMINISTRATIVE MANAGEMENT
1500 Employee/Contractor Recruiting and Termination
1600 Disclosures Required by Law
POLICIES FOR TECHNICAL STAFF
2000 Technical Support Procedures
2005 Software Development Procedures
2010 Secure Network Configuration for Client Networks
2020 Cloud Backup Service
2025 Managed Services Protocols
2030 Remote Management and Monitoring (RMM) System Operation
2035 Data Destruction Service
2040 Authentication, Passwords and Encryption Keys
POLICIES FOR EXECUTIVE MANAGEMENT & SECURITY OFFICER
2900 Security Officer Appointment and HIPAA Documentation
3000 Security Management Process
3005 Data Backup
3010 Disaster Recovery Plan and Emergency Mode Operation
3015 Facility Security and Access Control
3020 Periodic Security Evaluation
3025 Audit Control and Activity Review
3030 Malicious Software Protection
3035 Breach Reporting
3040 Security Awareness Program
3050 Device and Media Disposal and Re-Use
3060 Technical Safeguards
3070 Business Associate Contracts
3075 Employee System Access
3090 Security Incident Response and Reporting
Appendix A – Identifying Business Associates and Sample BAA
Appendix B – Sample HIPAA Business Associate Agreement – For Use with Customers
Appendix C – Facility Security and Access Plan
Appendix D – Workforce Access to PHI and Safeguards
Appendix E – Miscellaneous
Appendix F – Disaster Recovery Plan
About the Author: Gary Pritts is Founder and President of Eagle Consulting Partners. His unique experience that led to these popular HIPAA Policy templates. Gary understands IT managed services companies, medical software authors, and value-added resellers (VARs) and has created these templates specifically for these companies. He partnered with dozens of VARs in the early 2000s when the HIPAA rules were first implemented. He assisted the VARs by delivering HIPAA services to their physician practice customers. During that time, Gary crafted HIPAA policies for the VARs and his other software-author managed services partners. These policies deal with topics such as help desk protocols, secure configuration of remote management and monitoring systems, and secure handling of client access credentials. In addition, the policies include guidance to the technical staff so that they can better assist HIPAA-regulated clients with their HIPAA compliance. His first-hand experience as a prior general manager for a VAR and his partnerships with VARS, software authors and managed services companies has led to these policy templates. Gary studied computer science at Purdue University and holds an MBA from Harvard Business School.
Limited Time Special… Save 20% ($100) at Checkout… type in this code: Save-20
Purchase now:Protect your organization!
Only Eagle brings decades of healthcare experience to a strong GDPR policy that ALSO covers HIPAA regulations!