<Company>
HIPAA Security Policy #1
General Security Compliance
Reference: HIPAA Security standard: 164.308(a)(1)
164.308(a)(6)
Statement of Policy
<Company> is committed to conduct business in compliance with all applicable
laws, regulations and <Company> policies. <Company> has adopted this policy to set forth its compliance with those
standards established by the Department of Health and Human Services under the Health Insurance Portability and Accountability
Act of 1996 ("HIPAA") regarding the security of Electronic Protected Health Information ("EPHI") (the "Security Regulations").
Scope of Policy
The scope of this Policy covers <Company>’s general approach to
compliance with the Security Regulations. As a covered entity under the Security Regulations, <Company> must: (1) ensure
the confidentiality, integrity and availability of all EPHI <Company> creates, receives, maintains or transmits; (2)
protect against any reasonably anticipated threats or hazards to the security or integrity of such information; (3) protect
against any reasonably anticipated uses or disclosures of such information that are not permitted or required; and (4) ensure
compliance with the Security Regulations by its Workforce. Compliance with the Security Regulations will require <Company>
to implement:
- Administrative Safeguards--those
actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures
to protect EPHI and to manage the conduct of <Company>’s Workforce in relation to the protection of and authorized
access to said EPHI.
- Physical Safeguards--those
physical measures, policies and procedures to protect <Company>’s electronic information systems, related buildings
and equipment from natural and environmental hazards and unauthorized intrusion.
- Technical Safeguards--the
technologies and the policies and procedures for its use that protect EPHI and control access to it.
The specifications for implementation of each of these safeguards are addressed
in three separate sets of policies. The Administrative Safeguards are set forth in HIPAA Security Policies #1 through 8; the
Physical Safeguards are set forth in HIPAA Security Policies #9 through 12; and the Technical Safeguards are set forth in
HIPAA Security Policies #13 through 17.
Policy
<Company> has designated a Security Officer with overall responsibility
for the development and implementation of policies that conform to the Security Regulations ("Security Policies"). The initial HIPAA Security Officer is <name>, HIPAA Security Officer, and Information Technology Manager for <Company>. The Security Officer is responsible for ensuring that <Company>: (i) complies with the HIPAA Security Policies, (ii)
develops and implements business HIPAA security procedures ("Security Procedures") for each Security Policy, (iii) maintains
the confidentiality of all EPHI created or received by <Company> from the date such information is created or received
until it is destroyed, and (iv) trains all Workforce members the appropriate level of HIPAA training as determined. The Security Regulations permit <Company> to implement any security measure that allows it to reasonably
and appropriately comply with a specific security standard in the Security Regulations. In determining which security measures
to implement, <Company> must take in to account its size, complexity and capabilities; technical infrastructure; hardware
and software security capabilities; the costs of the security measures; and the probability and criticality of potential risks
to EPHI.
The <Company> HIPAA Security Policies and Security Procedures are designed
to ensure compliance with the Security Regulations. Such Security Policies and Security Procedures shall be kept current and
in compliance with any changes in the law, regulations or practices of <Company> in accordance with HIPAA Security Policy
#8 - Periodic Evaluation of Security Policies and Procedures.
Every member of the <Company> Workforce is responsible for being aware
of, and complying with, the Security Regulations and the Security Policies and Security Procedures.
Creation Date:
Effective Date:
Last Revision Date:
