Have you reviewed your HIPAA Policy and Procedure Manual? Are all of your policies in place? If you are not sure which policies and procedures you need, below is list that can help you in making sure you have everything you need.

Are All of Your Policies in Place?

3 – Sanctions/Compliance

4 – HIPAA 164.308(a)(1)(ii)(A) – Risk Analysis

5 – HIPAA 164.308(a)(1)(ii)(B) – Risk Management

6 – HIPAA 164.308(a)(1)(ii)(C) – Sanction Policy

7 – HIPAA 164.308(a)(1)(ii)(D) – Information System Activity Review

8 – HIPAA 164.308(a)(2) – Assigned Security Responsibility

9 – HIPAA 164.308(a)(3)(ii)(A) – Authorization and/or Supervision

10 – HIPAA 164.308(a)(3)(ii)(B) – Workforce Clearance Procedure

11 – HIPAA 164.308(a)(3)(ii)(C) – Termination Procedures

12 – HIPAA 164.308(a)(4)(ii)(B) – Access Authorization

13 – HIPAA 164.308(a)(4)(ii)(C) – Access Establishment and Modification

14 – HIPAA 164.308(a)(5)(ii)(A) – Security Reminders

15 – HIPAA 164.308(a)(5)(ii)(B) – Protection from Malicious Software

16 – HIPAA 164.308(a)(5)(ii)(C) – Log-in Monitoring

17 – HIPAA 164.308(a)(5)(ii)(D) – Password Management

18 – HIPAA 164.308(a)(6)(ii) – Response and Reporting

19 – HIPAA 164.308(a)(7)(ii)(A) – Data Backup Plan

20 – HIPAA 164.308(a)(7)(ii)(B) – Disaster Recovery Plan

21 – HIPAA 164.308(a)(7)(ii)(C) – Emergency Mode Operation Plan

22 – HIPAA 164.308(a)(7)(ii)(D) – Testing and Revision Procedure

23 – HIPAA 164.308(a)(7)(ii)(E) – Applications and Data Criticality Analysis

24 – HIPAA 164.308(a)(8) – Evaluation

25 – HIPAA 164.308(b)(3) – Written Contract or Other Arrangement

26 – HIPAA 164.310(a)(2)(i) – Contingency Operations

27 – HIPAA 164.310(a)(2)(ii) – Facility Security Plan

28 – HIPAA 164.310(a)(2)(iii) – Access Control and Validation Procedures

29 – HIPAA 164.310(a)(2)(iv) – Maintenance Records

30 – HIPAA 164.310(b) – Workstation Use

31 – HIPAA 164.310(c) – Workstation Security

32 – HIPAA 164.310(d)(2)(i) – Media Disposal

33 – HIPAA 164.310(d)(2)(ii) – Media Re-use

34 – HIPAA 164.310(d)(2)(iii) – Media Accountability

35 – HIPAA 164.310(d)(2)(iv) – Data Backup and Storage (during transfer)

36 – HIPAA 164.312(a)(2)(i) – Unique User Identification

37 – HIPAA 164.312(a)(2)(ii) – Emergency Access Procedure

38 – HIPAA 164.312(a)(2)(iii) – Automatic Logoff

39 – HIPAA 164.312(a)(2)(iv) – Encryption and Decryption (data at rest)

40 – HIPAA 164.312(b) – Audit Controls

41 – HIPAA 164.312(c)(1) – Protection Policies/Procedures Against Improper Data Alteration or Destruction

42 – HIPAA 164.312(c)(2) – Protection Mechanism Against Improper Data Alteration or Destruction

43 – HIPAA 164.312(d) – Person or Entity Authentication

44 – HIPAA 164.312(e)(2)(i) – Protection of Data During Transmission

45 – HIPAA 164.312(e)(2)(ii) – Integrity Controls & Encryption

46 – HIPAA 164.314(a)(1) – Business Associate Contracts

47 – HIPAA 164.316(a) – Policies and Procedures

48 – HIPAA 164.316(b)(1) – Documentation

49 – HIPAA 164.316(b)(2)(i) – Time Limit

50 – HIPAA 164.316(b)(2)(ii) – Availability

51 – HIPAA 164.316(b)(2)(iii) – Updates

If you are in need of any of these policies, please contact Tier3MD to assist you in putting your manual together.