HIPAA & HITECH Security & Privacy Governance Program

[YOUR COMPANY NAME] HIPAA Privacy Program Charter-DRAFT

Purpose

The [YOUR COMPANY NAME] HIPAA Privacy Program (“Privacy Program”) is established as part of its HIPAA Privacy Management Process. The [YOUR COMPANY NAME] HIPAA Privacy Office is responsible for developing, maintaining and implementing the Privacy Program which is governed by the [YOUR COMPANY NAME] HIPAA Privacy Council (“HPC”). The role of the HPC is to provide strategic guidance and execution oversight to the Privacy Program.

[YOUR COMPANY NAME] HIPAA Privacy Council

The HPC is a standing committee that provides strategic direction; establishes authority, responsibility and accountability; ensures that resources are adequate to achieve approved objectives; ascertains that risks are managed appropriately; and verifies that the enterprise’s resources are used responsibly in the [YOUR COMPANY NAME] Privacy Program. The Program exists to establish risk-based safeguards that adequately protect information but do not unnecessarily impede its appropriate use. The HPC operates under the auspices of the Executive Steering Committee.

[YOUR COMPANY NAME] HIPAA Privacy Council Responsibilities

The HPC will:

• Understand the Company’s risk philosophy, concur with the Company’s risk appetite and recommend strategic direction to the [YOUR COMPANY NAME] HIPAA Privacy Office on Company-wide HIPAA & HITECH security and privacy matters,

• Establish clear delegation of Privacy responsibilities to qualified designated personnel who are provided appropriate authority and who will report back to senior leaders,

• Know the extent to which the Privacy Office has established an effective Privacy Program across the Company,

• Inform and/or make recommendations to [YOUR COMPANY NAME]’s Executive Steering Committee regarding HIPAA privacy and security matters, as appropriate,

• Review the Company’s portfolio of risks and mitigating controls/safeguards, assess the potential impact, consider against the Company’s risk appetite and provide guidance to the Privacy Office as needed,

• Provide high level support for Privacy Program initiatives, including the provision of adequate resources to ensure their success,

• Ensure the necessary awareness of privacy and security issues and needs among senior leadership, and the awareness and support of senior managers across all business units,

• Be apprised of any privacy and security violations or incidents, associated remediation plans and the application of any sanctions, identification of significant risks and progress against initiatives.

Privacy Program Working Group Responsibilities

The Privacy Office will lead the Privacy Program Working Group to:

 Implement an effective Privacy program including:

o Development and implementation of Privacy policies & procedures

o Periodic and effective workforce training on Privacy policies & procedures,

o Establishment of effective safeguards as approved by HPC

o Development and implementation of Breach Notification process including a triage process for breach determination and application of a harm threshold framework

o Effective management of Business Associates Agreements (“BAA”)

 Educate the HPC on

o The material risks to the privacy of protected health information

o An estimate of the likelihood of a breach occurring

o The level of potential damage should a breach occur

o Mitigating controls or safeguards

 Make recommendations to the HPC for investments to reduce or eliminate risks

 Provide frequent and effective updates to the HPC regarding:

o Regulatory Changes

o Incidents/Breaches including investigations and mitigating activities

o Privacy Audits

o Training Updates

o Non-compliance issues and sanctions

 Include appropriate representation from affected functions for, and/or awareness of, program decisions

HPC Membership Membership of the HPC will be comprised of [YOUR COMPANY NAME] Privacy Officer, [YOUR COMPANY NAME] Security Officer and other appropriate cross-functional members of Senior and/or Executive Management, such as Information Management,

Operations, Administration, Legal, Finance, Human Resources and Quality. The HPC will be chaired by [YOUR COMPANY NAME]’s Risk Manager. (see Attachment A)

Privacy Program Working Group Membership The [YOUR COMPANY NAME] HIPAA Privacy Program Working Group will be comprised of [YOUR COMPANY NAME] Privacy Officer and designees from the HPC members and other appropriate members of senior and/or middle management with responsibilities for developing and/or implementing an effective Privacy Program. The Privacy Office will be chaired by the [YOUR COMPANY NAME] Privacy Officer. (see Attachment B)

Meetings Meetings of the HPC will be held monthly until ______, 2013 to ensure oversight of current initiatives, and at least quarterly thereafter. Ad hoc meetings may be called at any time by the HPC Chair. Minutes of the meetings will be maintained by the Privacy Officer.

HPC Standard Agenda

I. Approval of Minutes from Prior Minutes

II. Follow-up on any pending previous issues (HPC Co-Chair)

III. Update on new or revised Policies and Procedures

IV. Risk Analysis Update

V. Updates as appropriate regarding

a. Regulatory Changes

b. Incidents/Breaches including investigations and mitigating activities

c. Upcoming or Completed Privacy Audits

d. Training Updates (e.g. development of materials, legal review of training materials, schedule for training, % completion)

e. Non-compliance issues and sanctions

VI. Next Meeting Agenda

Revisions to the Charter

Revisions to any section of the HPC Charter can be made at any time that circumstances warrant or as recommended by the HPC Chair, and as approved by a majority of the Council members.

Attachment A

HPC Membership

Member Title Risk Manager (or Executive Sponsor)

Privacy Officer

Security Officer

Director of Clinical Operations

Director of Quality

Director of Human Resources

Director of Accreditation

Controller Chair will bring in Executive representation as needed

Attachment B

Privacy Program Working Group Membership

Member Title

Privacy Officer

Security Officer

Project Manager

IT Manager

HR Manager

Manager - Operations

Clinical Operations Manager Privacy Office Liaisons from multiple locations

Facility Manager

Chair will bring in Legal and other representation as needed.