Minimum Content of the Policies and Procedures Sample Clauses

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include, but shall not be limited to the following: 1. Policies regarding encryption of ePHI. 2. Policies regarding password management. 3. Policies regarding security incident response. 4. Policies regarding mobile device controls. 5. Policies regarding information system review. 6. Policies regarding security reminders. 7. Policies regarding log-in monitoring. 8. Policies regarding a data backup plan. 9. Policies regarding a disaster recovery plan. 10. Policies regarding an emergency mode operation plan. 11. Policies regarding testing and revising of contingency plans. 12. Policies regarding applications and data criticality analysis. 13. Policies regarding automatic log off. 14. Policies regarding audit controls. 15. Policies regarding integrity controls.

Minimum Content of the Policies and Procedures. The Policies and Procedures referenced herein shall, at minimum, provide for administrative, physical and technical safeguards (“safeguards”) to protect the privacy of non-electronic PHI to ensure that such PHI is appropriately and reasonably safeguarded from any intentional, unintentional or incidental use or disclosure that is in violation of the Privacy Rule.

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include measures to address the following Privacy and Security Rule provisions: 1. Uses and Disclosures of PHI- 45 C.F.R. § 164.502(a) 2. Security Management Process- 45 C.F.R. § 164.308(a)(1)(i) 3. Information Access Management- 45 C.F.R. § 164.308(a)(4) 4. Workstation Security- 45 C.F.R. § 164.310(c) 5. Device and Media Controls- 45 C.F.R. § 164.310(d) 6. Encryption and Decryption- 45 C.F.R. §§ 164.312(a)(2)(iv) and 164.312(e)(2)(ii)

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include, but not be limited to: 1. Instructions and Procedures that address appropriate administrative, technical, and physical safeguards to protect PHI from any intentional or unintentional use or disclosure (a) for media inquiries and (b) that define PHI as it relates to individually identifiable health information (IIHI). 2. Protocols for training all members of SRMC’s workforce who use and disclose PHI to ensure that they know how to comply with the Policies and Procedures provided for in subparagraph (1) above. 1. Instructions and Procedures that address permissible and impermissible uses and disclosures of PHI (a) for media inquiries, (b) to workforce members who are not involved in the individual’s medical care and (c) that define PHI as it relates to individually identifiable health information (IIHI). 2. Application of appropriate sanctions against members of SRMC’s workforce who fail to comply with Policies and Procedures provided for in subparagraph (1) above. 3. Protocols for training all members of SRMC’s workforce who use and disclose PHI to ensure that they know how to comply with the Policies and Procedures provided for in subparagraph (1) above. 1. Instructions and Procedures that address (a) What is individually identifiable health information (IIHI) and the protected health information (PHI), including what is required for PHI to be unidentified; (b) Communicating with, and responding to, the media, including in regard to patient-related inquires, and (c) Sharing of patient PHI within SRMC, including sharing of patient PHI with workforce members not involved in the provision of or payment for care. 2. Protocols for training all SRMC’s workforce members who use and disclose PHI to ensure that they know how to comply with the Policies and Procedures provided for in subparagraph (1) above. 3. Application of appropriate sanctions against SRMC’s workforce members who fail to comply with Policies and Procedures provided for in subparagraph (1) above.

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include, but not be limited to: 1. Administrative and physical safeguards for the disposal of all non-electronic PHI that appropriately and reasonably safeguard such PHI from any use or disclosure in violation of the Privacy Rule and that limit incidental uses and disclosures, including, but not limited to, providing that paper PHI intended for disposal shall be shredded, burned, pulped, or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. 2. Measures that address the following Privacy Rule provisions: a. Uses and disclosures of PHI – 45 C.F.R. § 164.502(a) b. Safeguards – 45 C.F.R. § 164.530(c)(1) c. Training – 45 C.F.R. § 164.530(b)(1)

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include measures to address the following Privacy and Security Provisions: 1. Uses and Disclosures of PHI - 45 CFR § 164.502(a) 2. Minimum Necessary - 45 CFR § 164.502(b) 3. Disclosures to Business Associates- 45 C.F.R. § 164.502(e)(1) 4. Training – 45 C.F.R. § 164.530(b)(1) 5. Safeguards - 45 C.F.R. § 164.530(c)(1) 6. Changes to Policies and Procedures - 45 C.F.R. § 164.530(i)(2) 7. Administrative Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.308(a) and (b) 8. Physical Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.310 9. Technical Safeguards, including all required and addressable implementation specifications – 45 C.F.R. § 164.312

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include, but not be limited to: 1. Review and update as necessary BILHBS’ policies and procedures related to access to protected health information. 2. Review and update as necessary BILHBS’ policies and procedures related to safeguarding designated record sets. 3. Protocols for training all BILHBS’ workforce members that are involved in receiving or fulfilling access requests as necessary and appropriate to ensure compliance with the policies and procedures provided for in section V.A. above. 4. Protocols for training all BILHBS’ workforce members that are involved in the maintaining of designated record sets and other protected health information as necessary and appropriate to ensure compliance with the policies and procedures provided for in section V.A. above. 5. Application of appropriate sanctions against BILHBS workforce members who fail to comply with policies and procedures provided for in subparagraphs (1) and (2) above.

Minimum Content of the Policies and Procedures. The Policies and Procedures shall, at a minimum, include: 1. Administrative, physical and technical safeguards for all portable devices that contain or are used to access MEEI ePHI that appropriately and reasonably ensure that such ePHI may be protected from any intentional or unintentional uses or disclosures in violation of the Privacy and/or Security Rules; 2. Provisions for conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all MEEI ePHI, when it is created, received, maintained, used or transmitted using portable devices on or off-site; 3. Provisions for implementing security measures sufficient to reduce the risks and vulnerabilities identified by the risk analysis to a reasonable and appropriate level based on MEEI’s circumstances; 4. Provisions to identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule for MEEI; 5. Procedures for identifying and responding to security incidents; mitigating, to the extent practicable, harmful effects of security incidents; and documenting the security incidents and their outcomes; 6. Procedures that specify the proper functions to be performed using workstations that access MEEI ePHI, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstations that can access ePHI; 7. Provisions to track the receipt and removal of hardware and electronic media, including portable devices, that contain MEEI ePHI into and out of MEEI’s facility(s), and the movement of these items within MEEI’s facility(s); 8. Mechanism(s) to encrypt and decrypt portable devices that contain MEEI ePHI to allow access only to those persons or software programs that have been granted access rights; 9. Instructions and procedures that address permissible and impermissible uses and disclosures of MEEI ePHI accessed by or stored on portable devices; 10. Procedures for applying appropriate sanctions against workforce members who fail to comply with these Policies and Procedures required in section VI.A.

Minimum Content of the Policies and Procedures. The Policies and Procedures shall include, but not be limited to: 1. Measures that address the following Privacy and Security Rule provisions: a. Business Associate Agreements – 45 C.F.R. § 164.308(b), including (i) the designation of one or more individual(s) who are responsible for ensuring that the covered entity enters into a business associate agreement with each of its business associates, as defined by the HIPAA Rules, prior to disclosing PHI to the business associate; (ii) a process for assessing the current and future business relationships to determine whether each relationship is with a business associate as defined under the HIPAA Rules; (iii) a process for negotiating and entering into business associate agreements with business associates prior to disclosing PHI to the business associates;

Minimum Content of the Policies and Procedures. The Policies and Procedures shall, at a minimum, include: 1. The administrative, physical, and technical safeguards in the Privacy and Security Rules that relate to the Policies and Procedures and reasonable protections for such PHI from any intentional or unintentional uses or disclosures in violation of the Privacy Rule. 2. If MGH determines that a member of their workforce has violated these Policies and Procedures, MGH shall notify in writing the Monitor described in section V.E. within 30 days of its determination. Such violations shall be known as Reportable Events. The report to the Monitor shall include the following information: a. A complete description of the event, including the relevant facts, the persons involved, and the provision(s) of the Policies and Procedures implicated; b. A description of MGH’s actions taken to mitigate any harm and any further steps MGH plans to take to address the matter and prevent it from recurring.