Minimum Content of the Policies and Procedures Clause Samples

Minimum Content of the Policies and Procedures. The Policies and Procedures referenced herein shall, at minimum, provide for administrative, physical and technical safeguards (“safeguards”) to protect the privacy of non-electronic PHI to ensure that such PHI is appropriately and reasonably safeguarded from any intentional, unintentional or incidental use or disclosure that is in violation of the Privacy Rule.

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include, but not be limited to: 1. Instructions and Procedures that address appropriate administrative, technical, and physical safeguards to protect PHI from any intentional or unintentional use or disclosure (a) for media inquiries and (b) that define PHI as it relates to individually identifiable health information (IIHI). 2. Protocols for training all members of SRMC’s workforce who use and disclose PHI to ensure that they know how to comply with the Policies and Procedures provided for in subparagraph (1) above. 1. Instructions and Procedures that address permissible and impermissible uses and disclosures of PHI (a) for media inquiries, (b) to workforce members who are not involved in the individual’s medical care and (c) that define PHI as it relates to individually identifiable health information (IIHI). 2. Application of appropriate sanctions against members of SRMC’s workforce who fail to comply with Policies and Procedures provided for in subparagraph (1) above. 3. Protocols for training all members of SRMC’s workforce who use and disclose PHI to ensure that they know how to comply with the Policies and Procedures provided for in subparagraph (1) above. 1. Instructions and Procedures that address (a) What is individually identifiable health information (IIHI) and the protected health information (PHI), including what is required for PHI to be unidentified; (b) Communicating with, and responding to, the media, including in regard to patient-related inquires, and (c) Sharing of patient PHI within SRMC, including sharing of patient PHI with workforce members not involved in the provision of or payment for care. 2. Protocols for training all SRMC’s workforce members who use and disclose PHI to ensure that they know how to comply with the Policies and Procedures provided for in subparagraph (1) above. 3. Application of appropriate sanctions against SRMC’s workforce members who fail to comply with Policies and Procedures provided for in subparagraph (1) above.

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include, but not be limited to: 1. Administrative and physical safeguards for the disposal of all non-electronic PHI that appropriately and reasonably safeguard such PHI from any use or disclosure in violation of the Privacy Rule and that limit incidental uses and disclosures, including, but not limited to, providing that paper PHI intended for disposal shall be shredded, burned, pulped, or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. 2. Measures that address the following Privacy Rule provisions: a. Uses and disclosures of PHI – 45 C.F.R. § 164.502(a) b. Safeguards – 45 C.F.R. § 164.530(c)(1) c. Training – 45 C.F.R. § 164.530(b)(1)

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include measures to address the following Privacy and Security Rule Provisions: 1. Uses and Disclosures of PHI - 45 CFR § 164.502(a) 2. Minimum Necessary - 45 CFR § 164.502(b) 3. Disclosures to Business Associates- 45 C.F.R. § 164.502(e)(1) 4. Training – 45 C.F.R. § 530(b)(1) 5. Safeguards - 45 C.F.R. § 164.530(c)(1) 6. Changes to Policies and Procedures - 45 C.F.R. § 164.530(i)(2) Security Rule Provisions 7. Administrative Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.308(a) and (b) 8. Device and Media Controls – 45 C.F.R. § 164.310(d)(1) 9. Encryption and Decryption – 45 C.F.R. § 164.312(a)(2)(iv) & 164.312(e)(2)(ii) 10. Audit Controls – 45 C.F.R. § 164.312(b)

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include measures to address the following Privacy and Security Rule provisions: 1. Uses and Disclosures of PHI- 45 C.F.R. § 164.502(a) 2. Security Management Process- 45 C.F.R. § 164.308(a)(1)(i) 3. Information Access Management- 45 C.F.R. § 164.308(a)(4) 4. Workstation Security- 45 C.F.R. § 164.310(c) 5. Device and Media Controls- 45 C.F.R. § 164.310(d)

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include measures to address the following Privacy and Security Provisions: 1. Uses and Disclosures of PHI - 45 CFR § 164.502(a) 2. Minimum Necessary - 45 CFR § 164.502(b) 3. Disclosures to Business Associates- 45 C.F.R. § 164.502(e)(1) 4. Training – 45 C.F.R. § 164.530(b)(1) 5. Safeguards - 45 C.F.R. § 164.530(c)(1) 6. Changes to Policies and Procedures - 45 C.F.R. § 164.530(i)(2) 7. Administrative Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.308(a) and (b). 8. Physical Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.310.

Minimum Content of the Policies and Procedures. The Policies and Procedures shall address prohibited uses of PHI in email accounts and include measures to address the following Privacy, Security, and Breach Notification Rule Provisions: 1. Impermissible Uses/Disclosures 45 C.F.R. § 164.502; 2. Risk Analysis 45 C.F.R. § 164.308(a)(1)(ii)(A); 3. Risk Management 45 C.F.R. § 164.308(a)(1)(ii)(B); 4. Sanctions 45 C.F.R. § 164.308(a)(1)(ii)(C); 5. Information System Activity Review 45 C.F.R. § 164.308(a)(1)(ii)(D);

Minimum Content of the Policies and Procedures. The policies and procedures shall include, but not be limited to, measures addressing the following Security and Privacy Rule provisions: 1. Evaluation – 45 C.F.R. § 164.308(a)(8), including a process(es) for performing periodic technical and nontechnical evaluations in response to environmental or operational changes affecting the security of Protected Health Information, that establishes the extent to which Aetna’s security policies and procedures meet the requirements of the Security Rule. 2. Person or Entity Authentication – 45 C.F.R. § 164.312(d), including procedures to verify that a person or entity seeking access to Protected Health Information is the one claimed. 3. Minimum Necessary Requirements – 45 C.F.R. § 164.514(d), including requirements to limit the Protected Health Information disclosed to the amount reasonably necessary to accomplish the given purpose. 4. Safeguards – 45 C.F.R. § 164.530(c), including appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information in mailings.

Minimum Content of the Policies and Procedures. The Policies and Procedures shall, at a minimum, include: 1. An accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used or transmitted by the Covered Entity, including, but not limited to, when ePHI is a) posted to an Internet-based electronic calendaring system, b) transmitted over an Internet-based electronic communications system, c) accessed remotely, or d) transmitted to or from or stored on a portable device. To satisfy this obligation, Covered Entity shall submit documentation of its most recent risk assessment completed since its initial risk assessment of December 2009. 2. A risk management plan that implements security measures sufficient to reduce risks and vulnerabilities to ePHI identified by the risk assessment to a reasonable and appropriate level, including, but not limited to, when ePHI is a) posted to an Internet-based electronic calendaring system, b) transmitted over an Internet-based electronic communications system, c) accessed remotely, or d) transmitted to or from or stored on a portable device. To satisfy this obligation, Covered Entity shall submit its risk management plan developed after completing its most recent risk assessment pursuant to subsection 1, above. Covered Entity’s risk management plan must implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level for ePHI in text messages that are transmitted to or from or stored on a portable device. 3. Identification of a security official who is responsible for the development and implementation of the Policies and Procedures required by this CAP and the Security Rule. 4. Satisfactory assurances that each business associate that receives, maintains, stores or transmits ePHI on behalf of the Covered Entity and has access to said ePHI will appropriately safeguard the ePHI in a written contract that meets the applicable requirements of the Security and Privacy Rules (see 45 C.F.R. §§164.314(a) and 164.504(e)). 5. Technical safeguards for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights pursuant to the Covered Entity’s information access management policies, including, but not limited to, remote access to the Covered Entity's electronic information systems. 6. Technical security measures to guard ...