You’ve Been Appointed as a HIPAA Officer—Now What?Petula Workman, CEBSDivision Vice President, Compliance CounselArthur J. Gallagher & Co.Houston, Texas
8A-1
Overview
Identify
Assess
Train
ImplementDocument
Retain
Repeat
8A-2
Identify
8A-3
Identify
• The players– HIPAA Privacy Officer
• HIPAA Privacy Contact Officer
– HIPAA Security Officer– HIPAA Workforce Members
Identify
8A-4
Identify
• HIPAA Privacy Officer– A health plan must designate a privacy
official who is responsible for developing and implementing the plan’s Privacy policies and procedures
• Investigates security incidents and complaints
• Oversees responses to requests for access
Identify
8A-5
Identify
• HIPAA Privacy Contact Officer– A health plan must designate a contact person or
office to receive complaints and provide further information about rights and responsibilities contained in health plan’s Notice of Privacy Practices
• Plan’s uses and disclosures of PHI• Invocation of Individual Rights
– May be same or different person as HIPAA Privacy Officer Identify
8A-6
Identify
• HIPAA Security Officer– Identify the security official who is responsible
for the development and implementation of the policies and procedures required by the Security Rule
Identify
8A-7
Identify
• HIPAA Workforce Members– A health plan must identify:
• Those persons or classes of persons, as appropriate, in its workforce who need access to PHI to carry out their duties; and
• For each such person or class of persons, the category or categories of PHI to which access is needed and any conditions appropriate to such access Identify
8A-8
Identify
• Key HIPAA Workforce Members– Individuals who handle benefit-related functions
• Marketing• Claims analysis• Assisting employees with claims and benefits issues• COBRA administration
– IT personnel– Payroll Identify
8A-9
Identify
• HIPAA Workforce Members—Payroll– “Payment” is defined as an activity
undertaken by a) A health plan to obtain premiums or to
determine or fulfill its responsibility for the provision of benefits under the health plan; or
b) A health care provider or a health plan to obtain or provide reimbursement for health care
– Payroll employees see deductions from paychecks representing premium payments Identify
8A-10
Identify
• Identify and periodically update job duties– Privacy Officer– Security Officer– HIPAA Workforce Members
• Limit technical access based upon job duties• Ensure that HIPAA Workforce Members are
properly screened (e.g., conduct a background check)
Security Officer
Identify
8A-11
Identify• Identify correct entities with whom Business Associate
Agreements are required– Consultants/Brokers– Third-party administrators– COBRA vendors– Benefits confirmation vendors– 6055/6056 vendors (if information comes from plan)– Cloud storage providers– Off-site document storage providers– Document and electronic media shredders– Health FSA vendors
Identify
8A-12
Assess
8A-13
Assess
• Understand HIPAA rules and regulations– HHS webpage: http://www.hhs.gov/hipaa/for-
professionals/index.html– Recent OCR Compliance Resolution Agreements:
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
– OCR Audit Protocol: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
Assess
8A-14
Assess• Periodically review
– Review type of PHI shared• Employee claims issues
• Enrollment data from carrier or TPA website
• Claims reports from carriers and TPAs
• COBRA administration
• PPACA reporting information (from health plan)
• Responses to QMCSO or divorce court proceeding inquiries (directed to health plan)
– How PHI flows in and through your organization• Determine which individuals are involved
– Create an internal PHI flow map
– Create an external PHI flow map
• Determine means to share PHI (e.g., secure email portal, unencrypted email)
Assess
8A-15
Assess
Benefits Department
Payroll
Field Locations
IT
Corporate/Legal
Personal emails
Laptops, Desktops, Email, Servers
VPN
Email Scans
Only contributions
Employees
Remote Access
Electronic PHI Internal Map Example EOBs/claims issues
EOBs/claims issuesQMCSOs
Divorce proceedings
Shared Drive
EOBs/claims issuesQMCSOs
Divorce proceedingsAssess
8A-16
Assess• Periodically review
– Where PHI is stored• Paper format
• Electronic format– Hard drives
– Group drives
– Copiers
– Scanners
– Fax machines
– Servers
– Portable electronic media
– Review where PHI is accessed• Include personal devices
• Include remote access capabilities to network
Assess
8A-17
Assess
• Periodically review– Written policies and procedures
• Conduct more immediate review if any changes in business operations (e.g., new email provider) or operating environment (e.g., moving benefits offices) occur
• HIPAA Privacy and Security Officers should meet at least annually to ensure that the health plan’s Privacy and Security policies and procedures are aligned
Assess
8A-18
Assess
• As part of periodic review, produce an analysis and report of compliance gaps– Map requirements to policies and procedures– Determine what changes to existing policies and
procedures needed– Determine what new policies and
procedures needed• Develop additional training
Assess
8A-19
Assess
• At least annually, review past security incidents – Review steps taken to mitigate and remediate– Determine whether safeguards and/or policies and procedures
should be revised or updated
• Whenever a Breach occurs, immediately review policies and procedures to determine which may require changes to prevent future Breaches
Assess
8A-20
Assess
• Evaluate technical and nontechnical Security measures
• Perform updated Risk Analysis– Maintain current Risk Analysis– Determine whether changes in business operations
(e.g., acquisition of a subsidiary) or business environment (e.g., changing location of servers) triggers need for new Risk Analysis
Security Officer
Assess
8A-21
Assess
• Review new Business Associate Agreements– Plan must obtain satisfactory assurances that the
Business Associates will appropriately safeguard plan’s PHI
• A plan is not required to obtain satisfactory assurances from a subcontractor
– Agreement should contain assurances that Business Associate will have appropriate agreement with subcontractor
• Ensure that applicable provisions in place to handle Breach Notification, mitigation, and remediation
– In particular, address who will notify impacted individuals in case of a Breach
Assess
8A-22
Assess
• Assess each Business Associate’s measures to ensure to protect the confidentiality, integrity, and availability of the health plan’s PHI– Request each Business Associate’s own HIPAA
policies and procedures
Assess
8A-23
Train
8A-24
Train
• Training is required under both the Privacy and Security Rules– No specific rules on format
• Webinars can be effective• Most effective format is in-person training
– No specific rules on timing• But some best practices suggest good
rules to follow Train
8A-25
Train
• Privacy Training– A plan must train all of its HIPAA Workforce
Members “on the policies and procedures with respect to PHI required by the Privacy Rule, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity”
– HIPAA Workforce Members should also be trained about what constitutes a breach and on the policies and procedures for reporting, analyzing, and documenting a possible breach of unsecured protected health information
Train
Privacy Officer
8A-26
Train
• Security training– Plans must implement a security
awareness and training program for all HIPAA Workforce Members (including management)
• Security Reminders• Protection from Malicious Software• Log-in Monitoring• Password Management
Train
Security Officer
8A-27
Train
• Include an affirmation that no intimidating, discriminatory, or other retaliatory actions will occur against persons who:– File, testify, assist, or participate in any
investigation, compliance review, proceeding, or hearing related to a HIPAA Privacy, Security, or Breach Notification violation, or
– Oppose any unlawful act or practice under HIPAA Train
8A-28
Train• Timing
– For new HIPAA Workforce Members, conduct training within a reasonable period of time after the person joins the plan’s workforce
• Best practice = within 30 days
– For each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures
– No specific requirement about when to conduct training for existing HIPAA Workforce Members in absence of change in policies or procedures
• Best practice = annual training Train
8A-29
Implement
8A-30
Implement
• Ensure HIPAA Workforce Members’ adherence to Privacy policies and procedures– Verification of identity of individuals seeking
access to PHI– Compliance with the Minimum Necessary
Standard
Privacy Officer
Implement
8A-31
Implement
• Ensure HIPAA Workforce Members’ adherence to health Privacy plan policies and procedures– Handling individual rights (particularly
creating an accounting of disclosures for non-routine disclosures of PHI)
• Privacy Officer should be primarily responsible for reviewing requests that result in a denial
Privacy Officer
Implement
8A-32
Implement• Maintain a current inventory of information systems
that create, receive, transmit, or maintain ePHI– Hardware, software, input and output sources
• Coordinate reviews of records of information system activity on a regular basis to prevent, detect, correct, and contain security violations by the use of hardware, software and/or procedural mechanisms that record and examine activity in information systems that store or use ePHI
Implement
Security Officer
8A-33
Implement
• Maintain technical safeguards (such as protection against malicious software, use of strong passwords) in support of Security Rule requirements
• When reasonable or appropriate, implement electronic automatic logoff mechanisms
Implement
Security Officer
8A-34
Implement
• Implement physical and technical safeguards for all workstations that access ePHI to restrict access to authorized users
Security Officer
Implement
8A-35
Implement
• Addressable safeguards– Mechanisms to encrypt and decrypt
ePHI in transit or at rest – Termination of electronic access upon
termination of employment or change in job duties
Implement
Security Officer
8A-36
Implement• Take a proactive approach to handling potential Breaches
– Train workforce members to identify security incidents– Create security incident team
• HIPAA Privacy Officer
• HIPAA Security Officer
• Legal Counsel
• Consultant/Broker
• Public relations (department or consultant)
• Computer forensics experts
– Create budget• Estimated cost per record is greater than $360 per record
– Consider Cyber Liability insuranceImplement
8A-37
Implement
• Take a proactive approach to handling potential Breaches– Investigate promptly
• Determine the nature and extent of the PHI involved• Determine what types of identifiers the data included
and how easily could individuals can be re-identified• Determine who received or used the PHI• Determine whether the PHI actually acquired
or viewed• Determine whether the risk to the PHI been
mitigated, and if so, to what extent
Implement
8A-38
Implement
• Take a proactive approach to handling potential Breaches– Communicate promptly
• Although HIPAA allows for 60 days, notification to individuals should occur as soon as possible to protect individuals impacted
– Ensure that communications plan is in place prior to a Breach
• Don’t forget about notification to HHS and potential obligation to notify media
Implement
8A-39
Implement
• Take a proactive approach to handling potential Breaches– Implement mitigation and remediation
efforts as soon as possible– Generally, however, it will take two to
three years for a Breach reported to HHS to work through the Compliance Resolution process Implement
8A-40
Document
8A-41
Document
• The Privacy Rule requires health plans to maintain:– Policies and procedures in written or electronic
form;– Any communication that is required by the Privacy
Rule to be in writing (or an electronic copy);– A written or electronic record of any action, activity,
or designation that the Privacy Rule requires to be documented; and
– Documentation sufficient to meet the burden of proof under the Breach Notification provisions
Document
Privacy Officer
8A-42
Document
• Key Privacy documentation requirements– Designation of HIPAA Privacy Officer
and Workforce Members– Policies and procedures– Notice of Privacy Practices– Non-routine disclosures
Document
Privacy Officer
8A-43
Document• Key Privacy documentation requirements
– Non-routine disclosures• About victims of abuse, neglect, or domestic violence• Accidental disclosures• Disclosures pursuant to a court order or subpoena• Disclosures required by law• For judicial and administrative proceedings*• For law enforcement purposes*• For public health activities (except child abuse reports)*• For health oversight activities
Document
* Under proposed HIPAA regulations
Privacy Officer
8A-44
Document
• Key Privacy documentation requirements– Non-routine disclosures
• About decedents• For cadaveric organ, eye or tissue donation purposes• For certain limited research purposes• To avert a serious threat to health or safety*• For specialized government functions• For military and veterans activities, the Department of
State’s medical suitability determinations, and government programs providing public benefits*
• Related to workers’ compensation programs Document
Privacy Officer
* Under proposed HIPAA regulations
8A-45
Document
• Key Privacy documentation requirements– Responses to individual rights
• Restrictions on use and disclosure• Request for an amendment• Request for an accounting of disclosures• Request for confidential communications• Request for access Document
Privacy Officer
8A-46
Document
• Key Privacy documentation requirements– Complaints– Sanctions– Security incident investigations– Breach Notification
• Breach log
– Identification of public officials seeking access to PHI
– Training Document
Privacy Officer
8A-47
Document
• The Security Rule requires health plans to maintain:– Policies and procedures in written form
(which may be electronic);– A written record (which may be electronic) of
any action, activity, or assessment that the Security Rule requires to be documented
Document
Security Officer
8A-48
Document• Key Security documentation requirements
– Designation of Security Officer– Risk Analysis and Risk Management Plan– Periodic Evaluation– Policies and procedures
• Compliance with Required safeguards• Compliance with Addressable safeguards
– Security incident investigations– Complaints– Sanctions– Training
Document
Security Officer
8A-49
Document
• Key Security documentation requirements– Information system activity review
• A plan must regularly review records of information system activity
– Audit logs– Access reports– Security incident tracking reports
Document
Security Officer
8A-50
Document
• Key Security documentationrequirements– Emergency Plan
• Data backup plan• Disaster recovery plan• Emergency mode operation plan
Document
Security Officer
8A-51
Document
• Plan document amendments– The plan documents of
a group health plan must be amended to incorporate provisions to require the plan sponsor to take certain steps to safeguard PHI Document
8A-52
Retain
8A-53
Retain
• Health plans must:– Retain documentation required by the Privacy
or Security Rule for six years from the datethe documentation was created or the date itlast was in effect, whichever is later
– Make the documentation available to thosepersons responsible for implementing theprocedures
Retain
8A-54
Repeat
8A-55
Repeat
• HIPAA compliance is an ongoing effort– Policies and procedures should not be treated as
static processes– Periodic monitoring of compliance will reduce risk
of Breach or other mishandling of PHI– Incorporation of HIPAA compliance into everyday
activities leads to better practices
Repeat
8A-56
Thank You
8A-57
© 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016
HIPAA Officer Checklist
The Health Insurance Portability and Accountability Act (“HIPAA”) requires health plans to designate
individuals to fulfill two very important roles – that of HIPAA Privacy Officer and that of HIPAA
Security Officer. Those individuals have ongoing responsibilities which may be overlooked. Below are
two charts highlighting important responsibilities associated with each role.
HIPAA Privacy Officer Step Completed Activity Date
Completed
Identify ☐ Yes
☐ No
Ensure that HIPAA Workforce Member job descriptions
adequately describe access necessary for individuals to
accomplish their job duties associated with use and
disclosure of PHI
Identify ☐ Yes
☐ No
Periodically (at least annually) review job descriptions for
HIPAA Workforce Members and determine whether
access is appropriate for each Workforce Member
Identify ☐ Yes
☐ No
Determine all entities that are business associates with
whom a Business Associate Agreement is required
Assess ☐ Yes
☐ No
Maintain current knowledge of HIPAA Privacy Rules and
regulations
Assess ☐ Yes
☐ No
Periodically (at least annually) review how PHI flows
internally and externally and whether PHI is protected
while in transit
Assess ☐ Yes
☐ No
Periodically (at least annually) review how PHI is stored
whether PHI is protected while stored (e.g., locked file
cabinet)
Assess ☐ Yes
☐ No
Annually review HIPAA Privacy policies and procedures
for current compliance with HIPAA (in particular,
compare to current HIPAA audit protocol from HHS:
http://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/protocol/index.html)
Assess ☐ Yes
☐ No
If any breaches of non-electronic PHI, assess policies and
procedures to determine if changes needed to prevent
future breach. If a breach of ePHI, coordinate assessment
with Security Officer.
8A-58
PAGE 2 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016
HIPAA Privacy Officer Step Completed Activity Date
Completed
Assess ☐ Yes
☐ No
Review any changes in business operations (e.g., new
email provider) or operational environment (e.g., change
in offices for benefits department) to determine whether
Privacy policies and procedures must be altered
Assess ☐ Yes
☐ No
At least annually, meet with the HIPAA Security Officer to
review whether the health plan’s Privacy policies and
procedures are aligned with the health plan’s Security
policies and procedures (remember that the Security
policies and procedures are intended to support the
separation between the HIPAA Workforce Members and
other workforce members)
Assess ☐ Yes
☐ No
Review Business Associate Agreements, with assistance
of applicable legal counsel, prior to engagement to
ensure that Business Associate provides assurance that it
will implement safeguards necessary to protect the
confidentiality, integrity, and availability of the health
plan’s PHI, that any subcontractors engaged by the
Business Associate will also comply, and that Business
Associate will timely comply with any Breach Notification
obligations
Assess ☐ Yes
☐ No
Monitor Business Associate and other third-party
compliance with HIPAA (this may require questioning
those third-parties about HIPAA compliance and include a
request to review the third-party’s own HIPAA policies
and procedures)
Train ☐ Yes
☐ No
Conduct Privacy training program for HIPAA Workforce
Members (as best practice, new HIPAA Workforce
Members should be trained within 30 days of joining the
HIPAA Workforce membership, and all HIPAA Workforce
Members should be retrained annually)
Train ☐ Yes
☐ No
Ensure that no intimidating, discriminatory, or other
retaliatory actions occur against persons who file, testify,
assist, or participate in any investigation, compliance
review, proceeding, or hearing related to a HIPAA Privacy,
Security, or Breach Notification violation or who oppose
any unlawful act or practice under HIPAA; further ensure
that training includes statement that organization will not
8A-59
PAGE 3 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016
HIPAA Privacy Officer Step Completed Activity Date
Completed
intimidate, discriminate, or retaliate against individuals
engaging in such actions
Train ☐ Yes
☐ No
Ensure that all workforce members are appropriately
trained and knowledgeable about what constitutes a
breach and on the policies and procedures for reporting,
analyzing, and documenting a possible breach of
unsecured protected health information
Implement ☐ Yes
☐ No
Ensure that individuals responsible for using and
disclosing PHI with involvement of third parties (such as
insurance carriers, third-party administrators,
consultant/brokers, employees, other plan participants,
parents, and government officials) follow appropriate
procedures to verify the identity of those third parties
and are documenting means of verification
Implement ☐ Yes
☐ No
Periodically review HIPAA Workforce Members
adherence to Minimum Necessary Standards (e.g., review
whether more than necessary individuals are copied on
emails with PHI; review whether reports have more PHI
than necessary for health plan administration purposes)
Implement ☐ Yes
☐ No
Oversee requests for use of individual rights by ensuring
that requests are handled correctly and appropriate
forms are used by HIPAA Workforce Members to address
requests for application of individual rights (right to
access; right to an amendment or correction; right to
confidential communications; right to restrictions on use
or disclosure of PHI; and right to an accounting of
disclosures)
Document ☐ Yes
☐ No
Investigate any security incidents involving non-electronic
PHI
Document ☐ Yes
☐ No
Coordinate investigation of any security incidents
involving electronic PHI with HIPAA Security Officer
Document ☐ Yes
☐ No
Make documents available to Security of Health and
Human Services when requested to determine health
plan’s compliance with HIPAA Privacy Rules (best practice
is to maintain a binder with written policies and
procedures, business associate agreements, and Notice of
Privacy Practices)
8A-60
PAGE 4 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016
HIPAA Privacy Officer Step Completed Activity Date
Completed
Document ☐ Yes
☐ No
Periodically review HIPAA Workforce Member’s tracking
of non-routine disclosures of PHI
Document ☐ Yes
☐ No
Ensure that individuals are aware of means to make a
complaint about the health plan’s adherence to the
HIPAA Rules and to the organization’s own policies and
procedures (contact information should be provided in
Notice of Privacy Practices and potentially as part of any
organizational ethics hotline)
Document ☐ Yes
☐ No
Ensure that any sanctions policy for individuals who
violate the HIPAA Rules or the organization’s own policies
and procedures is incorporated within or is coordinated
with organizational policies for sanctioning inappropriate
behavior by workforce members
Document ☐ Yes
☐ No
Ensure that Notice of Privacy Practices is timely
distributed to newly eligible individuals
Document ☐ Yes
☐ No
Ensure that plan participants are notified where to find
the Notice of Privacy Practices every three years (usually
called a notice of availability)(triennial notice required,
but best practice is to provide each year with annual
enrollment materials)
Document ☐ Yes
☐ No
Ensure that any necessary Breach Notification
requirements are met (timely notice to impacted
individuals and HHS; timely notice to media, if required)
Retain ☐ Yes
☐ No
Ensure that required documents are retained for
applicable six year period
8A-61
PAGE 5 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016
HIPAA Security Officer Step Completed Activity Date
Completed
Identify ☐ Yes
☐ No
Ensure that HIPAA Workforce Members’ technical access
to ePHI is limited to access necessary to accomplish their
job duties and that mechanisms are in place to
authenticate identify of each individual when accessing
information systems containing ePHI
Identify ☐ Yes
☐ No
Authorize user access to systems containing ePHI based
upon job responsibilities for individuals who work with
ePHI or in locations where ePHI might be accessed and
ensure that individuals with access to ePHI have sufficient
supervision and necessary level of access for each
individual to perform the individual’s assigned job
responsibilities (this is an addressable safeguard; if not
adopted, document reasonable alternative implemented)
Identify ☐ Yes
☐ No
Ensure that all HIPAA Workforce Members who will
access ePHI are properly screened (e.g., have background
checks)
Assess ☐ Yes
☐ No
Maintain current knowledge of HIPAA Security Rules and
regulations
Assess ☐ Yes
☐ No
Periodically (at least annually) review how ePHI flows
internally and externally and whether PHI is protected
while in transit (coordinate with Privacy Officer for non-
electronic PHI)
Assess ☐ Yes
☐ No
Periodically (at least annually) review how ePHI is stored
whether PHI is protected while stored (e.g., locked file
cabinet)
Assess ☐ Yes
☐ No
Annually review HIPAA Security policies and procedures
for current compliance with HIPAA (in particular,
compare to current HIPAA audit protocol from HHS:
http://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/audit/protocol/index.html)
Assess ☐ Yes
☐ No
Review any changes in business operations (e.g., new
email provider) or operational environment (e.g., change
in offices for benefits department) to determine whether
Security policies and procedures must be altered
Assess ☐ Yes
☐ No
If any breaches of ePHI, assess current administrative,
physical and technical safeguards to determine if changes
needed to prevent future breach.
8A-62
PAGE 6 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016
HIPAA Security Officer Step Completed Activity Date
Completed
Assess ☐ Yes
☐ No
Periodically conduct a Risk Analysis to identify potential
risks and vulnerabilities to the confidentiality, integrity,
and availability of the ePHI that the Plan transmits,
receives, maintains, or creates, including an assessment
of internal and external risks that may arise from human
activity (accidental and intentional), structural causes, or
natural/environmental causes
Assess ☐ Yes
☐ No
Periodically perform a technical and non-technical
evaluation to establish the extent to which the health
plan’s policies and procedures meet the HIPAA Security
Rule’s Requirements; in particular, conduct such an
evaluation in response to environmental or operation
changes or newly recognized risks
Assess ☐ Yes
☐ No
At least annually, meet with the HIPAA Privacy Officer to
review whether the health plan’s Privacy policies and
procedures are aligned with the health plan’s Security
policies and procedures (remember that the Security
policies and procedures are intended to support the
separation between the HIPAA Workforce Members and
other workforce members)
Assess ☐ Yes
☐ No
Review Business Associate Agreements, with assistance
of applicable legal counsel, prior to engagement to
ensure that Business Associate provides assurance that it
will implement safeguards necessary to protect the
confidentiality, integrity, and availability of the health
plan’s ePHI, and that any subcontractors engaged by the
Business Associate will also comply
Train ☐ Yes
☐ No
Conduct Security training program for HIPAA Workforce
Members (as a best practice, new HIPAA Workforce
Members should be training within 30 days of joining the
HIPAA Workforce membership, and all HIPAA Workforce
Members should be retrained annually)
Train ☐ Yes
☐ No
Provide security awareness training (login monitoring,
protection against malicious software, password
management, and security reminders)
Implement ☐ Yes
☐ No
Maintain a current inventory of information systems
(hardware, software, input and output sources) that
create, receive, transmit, or maintain ePHI
8A-63
PAGE 7 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016
HIPAA Security Officer Step Completed Activity Date
Completed
Implement ☐ Yes
☐ No
Coordinate reviews of records of information system
activity on a regular basis to prevent, detect, correct, and
contain security violations by the use of hardware,
software and/or procedural mechanisms that record and
examine activity in information systems that store or use
ePHI
Implement ☐ Yes
☐ No
Maintain technical safeguards (such as protection against
malicious software, use of strong passwords) in support
of Security Rule requirements
Implement ☐ Yes
☐ No
When reasonable or appropriate, implement electronic
automatic logoff mechanisms on certain ePHI Systems or
adopt equivalent alternative mechanisms (e.g.,
screen/session locking, screensaver implemented after
period of time) (this is an addressable safeguard; if not
adopted, document reasonable alternative implemented)
Implement ☐ Yes
☐ No
When appropriate, implement mechanisms to encrypt
and decrypt ePHI in transit or at rest (this is an
addressable safeguard; if not adopted, document
reasonable alternative implemented)
Implement ☐ Yes
☐ No
Oversee implementation of physical and technical
safeguards for all workstations that access ePHI to restrict
access to authorized users (e.g., use of user names and
strong passwords or role-based access)
Implement ☐ Yes
☐ No
Coordinate retrieval of all applicable physical security
tokens, keys, access cards, etc. that could be used to gain
access to ePHI from the Workforce Member and
terminate electronic access to ePHI shall be terminated
(e.g., remote access, email access) upon termination of
the employment or revision of job responsibilities to end
access to ePHI (this is an addressable safeguard; if not
adopted, document reasonable alternative implemented)
Document ☐ Yes
☐ No
Investigate any security incidents involving ePHI
Document ☐ Yes
☐ No
Maintain a contingency operation plan for the health plan
(including data backup, disaster recovery plan, and
emergency mode operation plan; testing and revision of
the contingency operation is an addressable safeguard,
8A-64
PAGE 8 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016
HIPAA Security Officer Step Completed Activity Date
Completed
so if not adopted then an alternative should be
documented)
Document ☐ Yes
☐ No
Maintain an inventory of all system components
(including software and hardware) containing ePHI and
determine the criticality of each (this is an addressable
safeguard; if not adopted, document reasonable
alternative implemented)
Document ☐ Yes
☐ No
Document repairs, changes, and modifications to building
exteriors, building interiors, and physical systems which
are related to security for facilities housing electronic
systems containing ePHI. (this is an addressable
safeguard; if not adopted, document reasonable
alternative implemented)
Document ☐ Yes
☐ No
Maintain workstation use policies such as a prohibition
against downloading, installing, or otherwise using
software that has not been specifically authorized by IT
Document ☐ Yes
☐ No
Ensure that electronic media containing ePHI that is to be
disposed of is thoroughly destroyed and rendered
unusable for purposes of retrieving the PHI under NIST
standards
Document ☐ Yes
☐ No
Ensure that all ePHI on electronic media is removed or
scrubbed prior to being re-used for storing non-PHI data
under NIST standards
Document ☐ Yes
☐ No
Maintain a log of hardware and electronic media
containing ePHI, and the names and positions of the
persons responsible for using them as a means of
maintaining the confidentiality of ePHI (this is an
addressable safeguard; if not adopted, document
reasonable alternative implemented)
Document ☐ Yes
☐ No
Ensure that ePHI is periodically backed up and that an
exact, retrievable copy of any ePHI is created, when
needed, prior to movement of equipment storing ePHI;
document backups and movement
Retain ☐ Yes
☐ No
Ensure that required documents are retained for
applicable six year period
8A-65
© 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016
HIPAA Plan Document Amendment Checklist
Under the Health Insurance Portability and Accountability Act (“HIPAA”), employers who sponsor group
health plans must amend their plan documents to incorporate provisions as noted in the table below.
Amendments must address both Privacy and Security safeguards.
Privacy provisions to require the Plan Sponsor to:
☐ Yes
☐ No
Establish the permitted and required uses and disclosures of such information by the plan
sponsor, provided that such permitted and required uses and disclosures may not be
inconsistent with the Privacy Rule
Provide that the group health plan will disclose protected health information (“PHI”) to the
plan sponsor only upon receipt of a certification by the plan sponsor that the plan
documents have been amended to incorporate the following provisions and that the plan
sponsor agrees to:
☐ Yes
☐ No
(A) Not use or further disclose the information other than as permitted or required by
the plan documents or as required by law
☐ Yes
☐ No
(B) Ensure that any agents to whom it provides PHI received from the group health plan
agree to the same restrictions and conditions that apply to the plan sponsor with
respect to such information
☐ Yes
☐ No
(C) Not use or disclose the information for employment-related actions and decisions or
in connection with any other benefit or employee benefit plan of the plan sponsor
☐ Yes
☐ No
(D) Report to the group health plan any use or disclosure of the information that is
inconsistent with the uses or disclosures provided for of which it becomes aware
☐ Yes
☐ No
(E) Make available PHI in accordance with an individual’s right to access PHI
☐ Yes
☐ No
(F) Make available PHI for amendment and incorporate any amendments to protected
health information in accordance with an individual’s right to request an amendment to
PHI
☐ Yes
☐ No
(G) Make available the information required to provide an accounting of disclosures in
accordance with an individual’s right to receive an accounting of certain disclosures of
his or her PHI
☐ Yes
☐ No
(H) Make its internal practices, books, and records relating to the use and disclosure of
PHI received from the group health plan available to the Secretary of Health and Human
Services for purposes of determining compliance by the group health plan with the
Privacy Rule
☐ Yes
☐ No
(I) If feasible, return or destroy all PHI received from the group health plan that the
sponsor still maintains in any form and retain no copies of such information when no
8A-66
PAGE 2 | © 2016 GALLAGHER BENEFIT SERVICES, INC. SEPTEMBER 2016
Privacy provisions to require the Plan Sponsor to:
longer needed for the purpose for which disclosure was made, except that, if such
return or destruction is not feasible, limit further uses and disclosures to those purposes
that make the return or destruction of the information infeasible
☐ Yes
☐ No
(J) Ensure that the adequate separation required by the Privacy Rule is established (see
next section)
Provide for adequate separation between the group health plan and the plan sponsor by:
☐ Yes
☐ No
(A) Describing those employees or classes of employees or other persons under the
control of the plan sponsor to be given access to the PHI to be disclosed (HIPAA
Workforce Members), provided that any employee or person who receives PHI relating
to payment under, health care operations of, or other matters pertaining to the group
health plan in the ordinary course of business must be included in such description
☐ Yes
☐ No
(B) Restricting the access to and use by such employees and other persons described to
the plan administration functions that the plan sponsor performs for the group health
plan
☐ Yes
☐ No
(C) Providing an effective mechanism for resolving any issues of noncompliance by
HIPAA Workforce Members with the plan document provisions required by the Privacy
Rule
Security provisions to require the Plan sponsor to:
☐ Yes
☐ No
Implement administrative, physical, and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of the electronic PHI
that it creates, receives, maintains, or transmits on behalf of the group health plan
☐ Yes
☐ No
Ensure that the adequate separation required by the Privacy Rule (i.e., designation of
HIPAA Workforce Members) is supported by reasonable and appropriate security
measures
☐ Yes
☐ No
Ensure that any agent to whom it provides this information agrees to implement
reasonable and appropriate security measures to protect the information
☐ Yes
☐ No
Report to the group health plan any security incident of which it becomes aware
8A-67