HIPAA HITECH Compliance Work Plan by Rebecca Herold, The Privacy Professor

By Jack Anderson CEO Compliance Helper, Posted 08/31/10    

Information Security & Privacy Compliance Program Work Plan

Based upon the work plan created for Compliance Helper, which includes all the documentation referenced within this plan.

See more at

http://www.compliancehelper.com. © Rebecca Herold & Associates, LLC. All rights reserved. Page 1

The following is a high-level work plan to create an information security and privacy program to meet

compliance with HIPAA, HITECH and other regulatory and contractual requirements. The areas listed

will vary depending upon the organization’s business model, size, number of geographic locations, other

applicable legal requirements, and any other unique factors. Each organization should use this as a

starting point and change appropriately for its own unique business situation.

Information Security & Privacy Compliance Program Work Plan

Based upon the work plan created for Compliance Helper, which includes all the documentation referenced within this plan.

See more at

http://www.compliancehelper.com. © Rebecca Herold & Associates, LLC. All rights reserved. Page 1

The following is a high-level work plan to create an information security and privacy program to meet

compliance with HIPAA, HITECH and other regulatory and contractual requirements. The areas listed

will vary depending upon the organization’s business model, size, number of geographic locations, other

applicable legal requirements, and any other unique factors. Each organization should use this as a

starting point and change appropriately for its own unique business situation.

1. Information Security and Privacy Program Management

a. Obtain Executive Management Support: An information security and privacy compliance

program cannot be successful without the clear and strong support of executive

management. Make sure your CEO, or equivalent, position is willing to provide strong

support for the information security and privacy program.

b. Establish Information Security and Privacy Leadership. Formally assign responsibilities for

information security and privacy.

c. Enterprise Wide Responsibilities. Document the responsibilities for key information security

and privacy responsibilities throughout the organization.

d. Identify and Inventory Personal Information. Document where personal information,

including Protected Health Information (PHI) is located and maintain this inventory.

e. Data Protection Compliance, Laws, Regulations and Standards Requirements. Identify and

document all legal requirements for protecting information.

f. Information Security and Privacy Risk Assessment. Perform an information security and

privacy risk assessment, including gap analysis for HIPAA and HITECH compliance

requirements.

g. Information Security and Privacy Policies. Formally document information security and

privacy policies to address the identified risks, in addition for those necessary to meet

HIPAA, HITECH and other applicable legal requirements.

h. Information Security and Privacy Procedures and Processes. Formally document the types of

procedures and processes necessary throughout the organization to support the policies.

i. Access, Authorization, Process, and Technical Controls. Establish and maintain technical

controls and settings to support the procedures and compliance.

j. Passwords. One of the most common vulnerabilities in an information security and privacy

program is allowing the use of bad passwords. Make sure your program establishes

requirements for strong passwords that cannot be easily discovered, and that must be

changed under appropriate conditions.

k. Information Security and Privacy Education. People are the weakest link for security and

privacy protections. HIPAA, HITECH and dozens of other legal requirements exist for

providing regular training and ongoing awareness communications. Assign information

security and privacy education responsibilities, and ensure strong executive support for the

activities.

Information Security & Privacy Compliance Program Work Plan

Based upon the work plan created for Compliance Helper, which includes all the documentation referenced within this plan.

See more at

http://www.compliancehelper.com. © Rebecca Herold & Associates, LLC. All rights reserved. Page 2

2. Training and Awareness

a. Training and Awareness Plan. Document a formal plan for providing regular training and

ongoing awareness communications for information security and privacy.

b. Training Content. Identify and contract, purchase or create the training content to support

the plan.

c. Awareness Content. Identify and contract, purchase or create the awareness content, and

any associated activities materials, to support the plan.

3. Human Resources (HR) Activities

a. HR Security & Privacy Responsibility. Formally assign responsibilities to a position or team

within HR for ensuring information security and privacy compliance activities in that area.

b. HR Information Security and Privacy Procedures. Create procedures for HR staff to follow,

based upon their assigned work responsibilities and activities, to support compliance with

the organization’s information security and privacy policies.

c. HR Information Security and Privacy Training. Ensure HR staff receive training and

awareness specific to their unique work activities and job responsibilities to support

compliance with the policies, procedures and the types of information, of all forms, that

they handle.

4. Organization Management

a. Organization Management Security & Privacy Responsibility. Formally assign responsibilities

to the Organization Management within each of the business units for ensuring information

security and privacy compliance activities in those areas.

b. Organization Management Information Security and Privacy Procedures. Create procedures

for the Organization Management and staff within each of the business units to follow,

based upon their assigned work responsibilities and activities, to support compliance with

the organization’s information security and privacy policies.

c. Organization Management Information Security and Privacy Training. Ensure Organization

Management and their staff receive training and awareness specific to their unique work

activities and job responsibilities to support compliance with the policies, procedures and

the types of information, of all forms, that they handle.

5. Information Technology (IT)

a. IT Security & Privacy Responsibility. Formally assign responsibilities to a position or team

within IT for ensuring information security and privacy compliance activities in that area.

b. IT Information Security and Privacy Procedures. Create procedures for IT staff to follow,

based upon their assigned work responsibilities and activities, to support compliance with

the organization’s information security and privacy policies.

c. IT Information Security and Privacy Training. Ensure IT staff receive training and awareness

specific to their unique work activities and job responsibilities to support compliance with

the policies, procedures and the types of information, of all forms, that they handle.

Information Security & Privacy Compliance Program Work Plan

Based upon the work plan created for Compliance Helper, which includes all the documentation referenced within this plan.

See more at

http://www.compliancehelper.com. © Rebecca Herold & Associates, LLC. All rights reserved. Page 3

6. Legal

a. Legal Counsel Security & Privacy Responsibility. Formally assign responsibilities to a position

or team within the Legal Department (or equivalent) for ensuring information security and

privacy compliance activities in that area.

b. Legal Counsel Information Security and Privacy Procedures. Create procedures for the Legal

Department (or equivalent) staff to follow, based upon their assigned work responsibilities

and activities, to support compliance with the organization’s information security and

privacy policies.

c. Legal Counsel Information Security and Privacy Training. Ensure the Legal Department (or

equivalent) staff receive training and awareness specific to their unique work activities and

job responsibilities to support compliance with the policies, procedures and the types of

information, of all forms, that they handle.

7. Facilities Management and Physical Security and Safety

a. Facilities Management Information Security & Privacy Responsibility. Formally assign

responsibilities to a position or team within the Facilities Management (or equivalent)

department for ensuring information security and privacy compliance activities in that area.

b. Facilities Management Information Security and Privacy Procedures. Create procedures for

the Facilities Management (or equivalent) department staff to follow, based upon their

assigned work responsibilities and activities, to support compliance with the organizations

information security and privacy policies.

c. Facilities Management Information Security and Privacy Training. Ensure the Facilities

Management (or equivalent) department staff receive training and awareness specific to

their unique work activities and job responsibilities to support compliance with the policies,

procedures and the types of information, of all forms, that they handle.

8. Audit

a. Audit Security & Privacy Responsibility. Formally assign responsibilities to a position or team

within the Audit department for ensuring information security and privacy compliance

activities in that area.

b. Audit Information Security and Privacy Procedures. Create procedures for the Audit

department staff to follow, based upon their assigned work responsibilities and activities, to

support compliance with the organizations information security and privacy policies.

c. Audit Information Security and Privacy Training. Ensure the Audit department staff receive

training and awareness specific to their unique work activities and job responsibilities to

support compliance with the policies, procedures and the types of information, of all forms,

that they handle.


Add Your Comments

(not published)