Often practices (and business associates) do not have ALL the policies and procedures required to be satisfy the requirements of HIPAA. Find below the list of all the policies you need under the regulations. The full list will run you about 300 pages.

Administrative Safeguards

  • AS-100: Security and Privacy Program Specifications – Formulating the HIPAA Compliance Plan
  • AS-105: Confidentiality and Privacy of PHI
  • AS-110: Minimum Necessary Use & Disclosure of PHI/ePHI
  • AS-115: Policy for Requiring that Plan Documents include HIPAA Disclosure Constraints
  • AS-120: Implementation Specifications – Administrative, Physical and Technical Standards
  • AS-122: Asset Inventory
  • AS-125: Development and Maintenance of Privacy Policies and Procedures
  • AS-130: Disciplinary Actions for Breach of Confidentiality, Privacy or Security Sanctions & Penalties
  • AS-132: Termination Procedure
  • AS-134: Workforce Clearance Procedure
  • AS-135: Security Reminders
  • AS-140: Job Description – Chief Privacy Officer
  • AS-145: Job Description – Chief Security Officer
  • AS-150: Non-Retaliation Policy
  • AS-155: Fax Transmittal of PHI
  • AS-170: Reporting of Privacy Concern and Security Breach Policy
  • AS-180: What Constitutes a Breach of PHI
  • AS-182: Incidental Use and Disclosure of Protected Health Information
  • AS-185: Tracking Privacy & Security Breach Disclosures
  • AS-190: Mitigation After Improper Use and Disclosure of PHI
  • AS-195: HIPAA Fraud and Abuse
  • AS-200: Restricting Use of PHI and Confidential Communications
  • AS-210: Risk Analysis
  • AS-215: Protection from Malicious Software
  • AS-220: Log in Monitoring/Audit Controls
  • AS-225: Data Back-up and Storage
  • AS-230: Disaster Recovery Plan
  • AS-235: Emergency Mode Operation Plan
  • AS-240: Testing and Revision of Contingency Plans
  • AS-250: Applications and Data Criticality Analysis
  • AS-255: Device and Media Controls and Accountability
  • AS-260: Policies and Procedures for Conducting Business with Business Associate
  • AS-261: Business Associate Due Diligence
  • AS-265: Identifying Business Associates and Distributing BA Agreements
  • AS-270: Education and Training

Documentation and Retention

  • DR-105: Development and Maintenance of Security Policies and Procedures
  • DR-110: Periodic Evaluation of Privacy and Security Policies
  • DR-115: Documentation Review and Retention
  • DR-120: Availability of Documented Policies and Procedures

Technical Safeguards

  • TS-105: Password Management/Person Entity Authentication
  • TS-110: Automatic Device Locking
  • TS-115: Encryption and Decryption of Electronically Transmitted Data
  • TS-120: Integrity Controls and Data Transmission
  • TS-125: Protecting Integrity of ePHI from Improper Alteration or Destruction
  • TS-135: Data Backup and Storage
  • TS-140: Emergency Access Procedure
  • TS-150: Mechanism to Authenticate

Privacy Regulations

  • PR-105: Notice of Privacy Practices
  • PR-110: Pledge of Confidentiality of Protected Health Information
  • PR-115: Use of PHI
  • PR-120: Acknowledgement of Receipt of Notice of Privacy Practices
  • PR-130: Access & Denial of Request for PHI
  • PR-135: Amending PHI
  • PR-140: Accounting of Disclosures
  • PR-150: Breach Notification Policy and Procedures
  • PR-155: Patient Authorization
  • PR-160: Uses and Disclosures of PHI to Family and Friends
  • PR-180: Use and Disclosure of PHI for Research
  • PR-185: Use and Disclosure of Psychotherapy Notes
  • PR-190: Use and Disclosure of PHI for Judicial or Administrative Proceedings
  • PR-195: Use and Disclosure of PHI for Specialized Government Functions
  • PR-200: Use & Disclosure for Disaster Relief Purposes
  • PR-210: Use and Disclosure of PHI for Health Oversight Reporting
  • PR-220: Use and Disclosure of PHI for Law Enforcement Agencies
  • PR-225: Permitted Use & Disclosure for Emergency Treatment
  • PR-230: Use and Disclosure of PHI for Deceased Individuals
  • PR-235: Use & Disclosure of PHI for Worker’s Compensation
  • PR-240: Use and Disclosure PHI for Public Health & Safety
  • PR-245: Use and Disclosure of PHI to Coroners, Funeral Directors and Organ Procurement Organizations
  • PR-250: De-identification of Protected Health Information (PHI)
  • PR-255: Employee Use of Social Media
  • PR-260: Use of Mobile Devices
  • PR-265: Consent for Treatment, Payment and Healthcare Operations
  • PR-267: Separation of Employee Health Documents
  • PR-270: Monitoring of PHI Disclosures by Business Associates

Physical Safeguards

  • PS-105: Disposal of ePHI and/or Hardware
  • PS-120: Facility Access Controls
  • PS-125: Access Controls and Validation Procedures – Facilities
  • PS-130: Facility Security Plan
  • PS-145: Workstation Security
  • PS-150: Media Reuse
  • PS-155: Contingency Operations
  • PS-160: Maintenance Records

Appendix A – Glossary and Forms

  • Glossary
  • IT Asset Inventory (Form AS-122a)
  • Facsimile Cover Sheet (Form AS-155a)
  • Privacy Concern or Security Breach Investigation Form (Form AS-170a)
  • Restriction Request for Use and Disclosure of Protected Health Information (PHI) (Form AS-200a)
  • Business Associate Agreement (Form AS-260a)
  • Business Associate Decision Tree (Form AS-260c)
  • HIPAA Diagnostic – A Rubric for Compliance (Form AS-261a)
  • Due Diligence Review Results (Form AS-261b)
  • Notice of Privacy Practices (sample of required information) (Form PR-105a)
  • Pledge of Confidentiality of Protected Health Information (Form PR-110a)
  • Request for Access to Protected Health Information (Form PR130a)
  • Notice of Decision of Request to Access, Inspect or Amend PHI (Form PR-130b)
  • Request for Amendment of Protected Health Information (Form PR-135a)
  • Request for Amendment Denial (Form PR-135b)
  • Consent for Health Information to be Communicated by Alternative Means (Form PR-145b)
  • Authorization for Use and Disclosure of Protected Health Information (Form PR-155a)