| Privacy and Security Topic |
Deliverable(s) |
| COVID-19 |
|
| Access to Protected Health Information (PHI) 164.524 |
|
| Accounting of Disclosures 164.528 |
Accounting of Disclosures |
| Alternative Communications 164.522 (b) |
Individual Right to Request Alternative Communications |
|
Amendment 164.526
|
|
Auditing/Activity Review
- Audit Controls 164.312(b)
- Information System Activity Review 164.308(a)(1)(ii)(D)
- Log-in Monitoring 164.308(a)(5)(ii)(C)
- Protection from Malicious Software 164.308(a)(5)(ii)(B)
|
Information System Activity Review Policy (formerly named Auditing Policy) |
| Authorization 164.508 |
|
Breach Notification Part 164 Subpart D
- Sanction Policy 164.308(a)(1)(ii)(C)
|
|
Business Associate
- 164.308(b)
- 164.314
- 164.504(e)
- HITECH Sections 13401(a), 13404, 13408
|
|
| Complaint 164.530(d)(1) |
Privacy Complaint Policy & Form |
|
Contingency Plan 164.308(a)(7)
- Contingency Operations 164.310(a)(2)(i)
- Emergency Access Procedure 164.312(a)(2)(ii)
|
Contingency Planning Whitepaper
|
| Consumer Guide |
Wisconsin Consumer HIPAA Guide PDF |
Data Management
- Accountability 164.310(d)(2)(iii)
- Data Backup and Storage 164.310(d)(2)(iv)
- Data Backup Plan 164.308(a)(7)(ii)(A)
- Device and Media Controls 164.310(d)
- Data Management
- Accountability 164.310(d)(2)(iii)
- Data Backup and Storage 164.310(d)(2)(iv)
- Data Backup Plan 164.308(a)(7)(ii)(A)
- Device and Media Controls 164.310(d)
|
Data Management & Backup
|
| De-Identification 164.514 |
De-ID vs LDS |
| Designated Record Set 164.501 |
Designated Record Sets |
Device & Media Controls 164.310(d)
- Disposal 164.310(d)(2)(i)
- Media Re-use 164.310(d)(2)(ii)
- Portable Handheld Devices
- Removable Media
|
|
| Employee Health |
Management of Employee Health Records Whitepaper |
Facility Access Controls 164.310(a)(1)
- Access Control & Validation Procedures 164.310(a)(2)(iii)
- Facility Security Plan 164.310(a)(2)(ii)
|
Facility Access Policy
|
| Facility Maintenance Records 164.310(a)(2)(iv) |
Facility Repairs and Maintenance
|
| Fundraising 164.514(f)(1) |
Fundraising Policy Doc
|
|
Group Health Plan Requirements
|
Plan Documents Policy
|
Information Access Management 164.308(a)(4)(i)
- Access Control 164.312(a)(1)
- Access Establishment and Modification 164.308(a)(4)(ii)(C)
- Authorization and/or Supervision 164.308(a)(3)(ii)(A)
- Automatic Logoff 164.312(a)(2)(iii)
- Isolating Healthcare Clearinghouse Function 164.308(a)(4)(ii)(A)
- Password Management 164.308(a)(5)(ii)(D)
- Person or Entity Authentication 164.312(d)
- Termination Procedures 164.308(a)(3)(ii)(C)
- Unique User Identification 164.312(a)(2)(i)
- Workforce Clearance Procedure 164.308(a)(3)(ii)(B)
- Workforce Security 164.308(a)(3)(i)
- Workstation Use 164.310(b)
|
|
| Judicial Proceeding 164.512(e) |
Policy & Procedure for Use and Disclosure of PHI for Judicial and Administrative Proceedings |
| Law Enforcement 164.512(f) |
|
| Marketing 164.501 |
Marketing Policy Doc |
| Media |
Disclosure of PHI to the Media |
| Minimum Necessary 164.514 |
|
| Notice of Privacy Practice 164.520 |
|
| Occupational Health |
Occupational Health Whitepaper 4-15-13
|
|
Policies & Procedures
- Privacy 164.530(i)
- Security 164.316
|
|
|
Preemption with Wisconsin Law
|
|
| Privacy Officer 164.530(a) |
HIPAA Implementation & Oversight
|
| Psychotherapy Notes 164.508(a)(2) |
Psychotherapy Notes |
| Remote Access Policy |
Remote Access Policy Document
|
| Restriction Request 164.522 (a) |
Individual Right to Request Restrictions on How PHI is Used/Disclosed for TPO |
Risk Analysis & Management
- 164.308 (a)(1)(ii)(A) and (B)
- Evaluation 164.308(a)(8)
- Meaningful Use – CMS EHR Incentive program
- Protect Electronic Health Information Requirements
- Safeguards – Administrative 164.306
- Safeguards – Physical 164.310
|
|
| Safeguards 164.530 (c) |
Communication of PHI Policy Doc |
|
Security Incident Procedures 164.308(a)(6)
- Security Management Process 164.308(a)(1)(i)
|
Security Incident Response
Also Refer to Breach Notification Section
|
Security Oversight
- General Rules 164.306
- Policies & Procedures & Documentation Requirements 164.316
- Security Awareness and Training 164.308(a)(5)(i)
- Security Reminders 164.308(a)5)(ii)(A)
- Sanction Policy 164.308(a)(1)(ii)(C)
|
Also Refer to Training Section
|
| Social Media |
Social Media Guidelines |
|
Technical Access Control:
- Encryption 164.312(e)(2)(ii)
- Encryption and Decryption 164.312(a)(2)(iv)
- Integrity 164.312(c)
- Integrity Controls 164.312(e)(2)(i)
- Transmission Security 164.312(e)(1)
|
Encryption Whitepaper
|
|
Training
- 164.530(b)(1)
- 164.308(a)(5)
|
Privacy & Security Training Session PowerPoint
Also Refer to Security Oversight Section
|
|
Treatment Uses and Disclosures 164.506
|
Position Statement: Disclosing of PHI for Treatment Purposes
|
|
Verification of Identity 164.514(h)
|
Identity Verification
|
|
Workers Compensation 164.512(l)
|
Workers Compensation
|
