HIPAA Guardian

HIPAA Guardian

A Consultant-Driven Solution for full HIPAA Compliance

Project Plan

Step 1

Information Gathering

Step 2

Document Creation

Step 3

Policy Review

Step 4

Workforce Training

Information Gathering

This phase involves a comprehensive information-gathering exercise to identify the organization’s existing policies and procedures as they relate to HIPAA privacy and security. Know HIPAA utilizes a proprietary questionnaire for this purpose that will identify:

  • Basic organizational information (contact names, addresses, phone numbers, etc.)
  • Information regarding the Organization’s Protected Health Information (PHI), including electronic PHI (ePHI) – where it is stored, who accesses it, and how it flows throughout the organization.
  • Current privacy procedures and safeguards
  • Current security procedures and safeguards
  • Vendors who may have access to the organization’s PHI.

Document Creation

Our consultant uses the information provided in the questionnaires to complete and/or finalize three (3) draft documents:

  • HIPAA Risk Analysis
  • HIPAA Privacy Manual
  • HIPAA Security Manual

Policy Review

Our consultant will schedule two (2) separate reviews with the client: one for review of Privacy manual, and one for review of the Security Manual & Risk Analysis. As part of these reviews, we will collaborate with the client’s Benefits/Human Resources contacts (for privacy) and Information Technology (IT) representatives (for security) to confirm its understanding and interpretation of the information provided by the client.

Upon completion of the reviews, we will incorporate any necessary changes into the documents and will submit final versions to the client.

Workforce Training

Once our consultant has issued final documents to the client, we will schedule a training with the client’s key personnel. The training will be web-based and will cover the organization-specific policies.

Documentation

Risk Analysis

The Risk Analysis draws from the information contained in the Office of Civil Rights’ (OCR’s) online risk analysis tool. This ensures that the Risk Analysis addresses the issues that OCR has identified as critical to HIPAA security.

The Risk Analysis forms the basis for evaluating and improving the client’s security program. Items in the tool are ranked by impact, likelihood, and cost to help the client prioritize its remediation efforts. The client completes the Risk Analysis as part of the initial questionnaire process. During Phase 3, the Know HIPAA Consultant will review the results of the Risk Analysis with the client and make any clarifications or modifications as necessary to complete the Risk Analysis.

HIPAA Privacy and Security Manuals

The HIPAA Privacy and Security Manuals contain template language that provides a reasonable approach to complying with the requirements of the Privacy and Security Rules. Know HIPAA will customize the Privacy and Security Manuals to reflect the client’s own practices, when applicable.

Additional Forms

Along with copies of the finalized Risk Analysis and Privacy and Security Manuals, Know HIPAA will send the following sample forms to the client in order to help facilitate implementation HIPAA Privacy and Security Requirements:

  1. Sample Business Associate Agreement
  2. Sample Notice of Privacy Practices
  3. Sample Access to PHI Request Form
  4. Sample Account of Disclosures Log
  5. Sample Amendment of PHI Request Form
  6. Sample Authorization for Release of Information Form
  7. Sample Complaint Form
  8. Sample Complaint Tracking Form
  9. Sample Confidential Communications Request Form
  10. Sample List of Business Associates
  11. Sample Plan Amendment
  12. Sample Plan Sponsor Certification to Group Health Plan
  13. Sample Restriction on Use or Disclosure of PHI Request