A Consultant-Driven Solution for full HIPAA Compliance
Project Plan
Step 1
Information Gathering
Step 2
Document Creation
Step 3
Policy Review
Step 4
Workforce Training
Information Gathering
This phase involves a comprehensive information-gathering exercise to identify the organization’s existing policies and procedures as they relate to HIPAA privacy and security. Know HIPAA utilizes a proprietary questionnaire for this purpose that will identify:
Basic organizational information (contact names, addresses, phone numbers, etc.)
Information regarding the Organization’s Protected Health Information (PHI), including electronic PHI (ePHI) – where it is stored, who accesses it, and how it flows throughout the organization.
Current privacy procedures and safeguards
Current security procedures and safeguards
Vendors who may have access to the organization’s PHI.
Document Creation
Our consultant uses the information provided in the questionnaires to complete and/or finalize three (3) draft documents:
HIPAA Risk Analysis
HIPAA Privacy Manual
HIPAA Security Manual
Policy Review
Our consultant will schedule two (2) separate reviews with the client: one for review of Privacy manual, and one for review of the Security Manual & Risk Analysis. As part of these reviews, we will collaborate with the client’s Benefits/Human Resources contacts (for privacy) and Information Technology (IT) representatives (for security) to confirm its understanding and interpretation of the information provided by the client.
Upon completion of the reviews, we will incorporate any necessary changes into the documents and will submit final versions to the client.
Workforce Training
Once our consultant has issued final documents to the client, we will schedule a training with the client’s key personnel. The training will be web-based and will cover the organization-specific policies.
Documentation
Risk Analysis
The Risk Analysis draws from the information contained in the Office of Civil Rights’ (OCR’s) online risk analysis tool. This ensures that the Risk Analysis addresses the issues that OCR has identified as critical to HIPAA security.
The Risk Analysis forms the basis for evaluating and improving the client’s security program. Items in the tool are ranked by impact, likelihood, and cost to help the client prioritize its remediation efforts. The client completes the Risk Analysis as part of the initial questionnaire process. During Phase 3, the Know HIPAA Consultant will review the results of the Risk Analysis with the client and make any clarifications or modifications as necessary to complete the Risk Analysis.
HIPAA Privacy and Security Manuals
The HIPAA Privacy and Security Manuals contain template language that provides a reasonable approach to complying with the requirements of the Privacy and Security Rules. Know HIPAA will customize the Privacy and Security Manuals to reflect the client’s own practices, when applicable.
Additional Forms
Along with copies of the finalized Risk Analysis and Privacy and Security Manuals, Know HIPAA will send the following sample forms to the client in order to help facilitate implementation HIPAA Privacy and Security Requirements:
Sample Business Associate Agreement
Sample Notice of Privacy Practices
Sample Access to PHI Request Form
Sample Account of Disclosures Log
Sample Amendment of PHI Request Form
Sample Authorization for Release of Information Form
Sample Complaint Form
Sample Complaint Tracking Form
Sample Confidential Communications Request Form
Sample List of Business Associates
Sample Plan Amendment
Sample Plan Sponsor Certification to Group Health Plan
Sample Restriction on Use or Disclosure of PHI Request