HIPAA HITECH Compliance Work Plan by Rebecca Herold, The Privacy Professor
By Jack Anderson CEO Compliance Helper, Posted 08/31/10
Information Security & Privacy Compliance Program Work Plan
Based upon the work plan created for Compliance Helper, which includes all the documentation referenced within this plan.
See more at
http://www.compliancehelper.com. © Rebecca Herold & Associates, LLC. All rights reserved. Page 1
The following is a high-level work plan to create an information security and privacy program to meet compliance with HIPAA, HITECH and other regulatory and contractual requirements. The areas listed will vary depending upon the organization’s business model, size, number of geographic locations, other applicable legal requirements, and any other unique factors. Each organization should use this as a starting point and change appropriately for its own unique business situation.
Information Security & Privacy Compliance Program Work Plan Based upon the work plan created for Compliance Helper, which includes all the documentation referenced within this plan. See more at
http://www.compliancehelper.com. © Rebecca Herold & Associates, LLC. All rights reserved. Page 1
The following is a high-level work plan to create an information security and privacy program to meet compliance with HIPAA, HITECH and other regulatory and contractual requirements. The areas listed will vary depending upon the organization’s business model, size, number of geographic locations, other applicable legal requirements, and any other unique factors. Each organization should use this as a starting point and change appropriately for its own unique business situation. a. Obtain Executive Management Support: An information security and privacy compliance program cannot be successful without the clear and strong support of executive management. Make sure your CEO, or equivalent, position is willing to provide strong support for the information security and privacy program. b. Establish Information Security and Privacy Leadership. Formally assign responsibilities for information security and privacy. c. Enterprise Wide Responsibilities. Document the responsibilities for key information security and privacy responsibilities throughout the organization. d. Identify and Inventory Personal Information. Document where personal information, including Protected Health Information (PHI) is located and maintain this inventory. e. Data Protection Compliance, Laws, Regulations and Standards Requirements. Identify and document all legal requirements for protecting information. f. Information Security and Privacy Risk Assessment. Perform an information security and privacy risk assessment, including gap analysis for HIPAA and HITECH compliance requirements. g. Information Security and Privacy Policies. Formally document information security and privacy policies to address the identified risks, in addition for those necessary to meet HIPAA, HITECH and other applicable legal requirements. h. Information Security and Privacy Procedures and Processes. Formally document the types of procedures and processes necessary throughout the organization to support the policies. i. Access, Authorization, Process, and Technical Controls. Establish and maintain technical controls and settings to support the procedures and compliance. j. Passwords. One of the most common vulnerabilities in an information security and privacy program is allowing the use of bad passwords. Make sure your program establishes requirements for strong passwords that cannot be easily discovered, and that must be changed under appropriate conditions. k. Information Security and Privacy Education. People are the weakest link for security and privacy protections. HIPAA, HITECH and dozens of other legal requirements exist for providing regular training and ongoing awareness communications. Assign information security and privacy education responsibilities, and ensure strong executive support for the activities. Information Security & Privacy Compliance Program Work Plan Based upon the work plan created for Compliance Helper, which includes all the documentation referenced within this plan. See more at a. Training and Awareness Plan. Document a formal plan for providing regular training and ongoing awareness communications for information security and privacy. b. Training Content. Identify and contract, purchase or create the training content to support the plan. c. Awareness Content. Identify and contract, purchase or create the awareness content, and any associated activities materials, to support the plan. 3. Human Resources (HR) Activities a. HR Security & Privacy Responsibility. Formally assign responsibilities to a position or team within HR for ensuring information security and privacy compliance activities in that area. b. HR Information Security and Privacy Procedures. Create procedures for HR staff to follow, based upon their assigned work responsibilities and activities, to support compliance with the organization’s information security and privacy policies. c. HR Information Security and Privacy Training. Ensure HR staff receive training and awareness specific to their unique work activities and job responsibilities to support compliance with the policies, procedures and the types of information, of all forms, that they handle. a. Organization Management Security & Privacy Responsibility. Formally assign responsibilities to the Organization Management within each of the business units for ensuring information security and privacy compliance activities in those areas. b. Organization Management Information Security and Privacy Procedures. Create procedures for the Organization Management and staff within each of the business units to follow, based upon their assigned work responsibilities and activities, to support compliance with the organization’s information security and privacy policies. c. Organization Management Information Security and Privacy Training. Ensure Organization Management and their staff receive training and awareness specific to their unique work activities and job responsibilities to support compliance with the policies, procedures and the types of information, of all forms, that they handle. a. IT Security & Privacy Responsibility. Formally assign responsibilities to a position or team within IT for ensuring information security and privacy compliance activities in that area. b. IT Information Security and Privacy Procedures. Create procedures for IT staff to follow, based upon their assigned work responsibilities and activities, to support compliance with the organization’s information security and privacy policies. c. IT Information Security and Privacy Training. Ensure IT staff receive training and awareness specific to their unique work activities and job responsibilities to support compliance with the policies, procedures and the types of information, of all forms, that they handle. Information Security & Privacy Compliance Program Work Plan Based upon the work plan created for Compliance Helper, which includes all the documentation referenced within this plan. See more at a. Legal Counsel Security & Privacy Responsibility. Formally assign responsibilities to a position or team within the Legal Department (or equivalent) for ensuring information security and privacy compliance activities in that area. b. Legal Counsel Information Security and Privacy Procedures. Create procedures for the Legal Department (or equivalent) staff to follow, based upon their assigned work responsibilities and activities, to support compliance with the organization’s information security and privacy policies. c. Legal Counsel Information Security and Privacy Training. Ensure the Legal Department (or equivalent) staff receive training and awareness specific to their unique work activities and job responsibilities to support compliance with the policies, procedures and the types of information, of all forms, that they handle. a. Facilities Management Information Security & Privacy Responsibility. Formally assign responsibilities to a position or team within the Facilities Management (or equivalent) department for ensuring information security and privacy compliance activities in that area. b. Facilities Management Information Security and Privacy Procedures. Create procedures for the Facilities Management (or equivalent) department staff to follow, based upon their assigned work responsibilities and activities, to support compliance with the organizations information security and privacy policies. c. Facilities Management Information Security and Privacy Training. Ensure the Facilities Management (or equivalent) department staff receive training and awareness specific to their unique work activities and job responsibilities to support compliance with the policies, procedures and the types of information, of all forms, that they handle. 8. Audit a. Audit Security & Privacy Responsibility. Formally assign responsibilities to a position or team within the Audit department for ensuring information security and privacy compliance activities in that area. b. Audit Information Security and Privacy Procedures. Create procedures for the Audit department staff to follow, based upon their assigned work responsibilities and activities, to support compliance with the organizations information security and privacy policies. c. Audit Information Security and Privacy Training. Ensure the Audit department staff receive training and awareness specific to their unique work activities and job responsibilities to support compliance with the policies, procedures and the types of information, of all forms, that they handle.1. Information Security and Privacy Program Management
2. Training and Awareness
4. Organization Management
5. Information Technology (IT)
6. Legal
7. Facilities Management and Physical Security and Safety
Top Picks
- Manage Your Business Associates with BA Tracker
- Rebecca Herold and Associates
- ACR2 Solutions for Risk Assessment
Recent Blog Posts
- Business Associates Need HIPAA HITECH Compliant Policies and Procedures, Now/1
- Minnesota Attorney General Sues Business Associate for HIPAA HITECH Data Breach
- HIPAA HITECH Data Breach Costs Small Business Associate $300,000
- HIPAA HITECH Rules De Facto Standard?
- HIPAA HITECH Data Breach: $1000 Per Patient?
- Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule
- more from the blog
