HIPAA & HITECH Security & Privacy Governance Program
Total Page:16
File Type:pdf, Size:1020Kb
[YOUR COMPANY NAME] HIPAA Privacy Program Charter-DRAFT
Purpose
The [YOUR COMPANY NAME] HIPAA Privacy Program (“Privacy Program”) is established as part of its HIPAA Privacy Management Process. The [YOUR COMPANY NAME] HIPAA Privacy Office is responsible for developing, maintaining and implementing the Privacy Program which is governed by the [YOUR COMPANY NAME] HIPAA Privacy Council (“HPC”). The role of the HPC is to provide strategic guidance and execution oversight to the Privacy Program.
[YOUR COMPANY NAME] HIPAA Privacy Council
The HPC is a standing committee that provides strategic direction; establishes authority, responsibility and accountability; ensures that resources are adequate to achieve approved objectives; ascertains that risks are managed appropriately; and verifies that the enterprise’s resources are used responsibly in the [YOUR COMPANY NAME] Privacy Program. The Program exists to establish risk-based safeguards that adequately protect information but do not unnecessarily impede its appropriate use. The HPC operates under the auspices of the Executive Steering Committee.
[YOUR COMPANY NAME] HIPAA Privacy Council Responsibilities
The HPC will:
• Understand the Company’s risk philosophy, concur with the Company’s risk appetite and recommend strategic direction to the [YOUR COMPANY NAME] HIPAA Privacy Office on Company-wide HIPAA & HITECH security and privacy matters,
• Establish clear delegation of Privacy responsibilities to qualified designated personnel who are provided appropriate authority and who will report back to senior leaders,
1 ©Clearwater Compliance LLC | All Rights Reserved |
[YOUR COMPANY NAME] HIPAA Privacy Program Charter-DRAFT
• Know the extent to which the Privacy Office has established an effective Privacy Program across the Company,
• Inform and/or make recommendations to [YOUR COMPANY NAME]’s Executive Steering Committee regarding HIPAA privacy and security matters, as appropriate,
• Review the Company’s portfolio of risks and mitigating controls/safeguards, assess the potential impact, consider against the Company’s risk appetite and provide guidance to the Privacy Office as needed,
• Provide high level support for Privacy Program initiatives, including the provision of adequate resources to ensure their success,
• Ensure the necessary awareness of privacy and security issues and needs among senior leadership, and the awareness and support of senior managers across all business units,
• Be apprised of any privacy and security violations or incidents, associated remediation plans and the application of any sanctions, identification of significant risks and progress against initiatives.
Privacy Program Working Group Responsibilities
The Privacy Office will lead the Privacy Program Working Group to:
Implement an effective Privacy program including:
o Development and implementation of Privacy policies & procedures
o Periodic and effective workforce training on Privacy policies & procedures,
o Appropriate application of sanctions for non-compliance, 2 ©Clearwater Compliance LLC | All Rights Reserved |
[YOUR COMPANY NAME] HIPAA Privacy Program Charter-DRAFT
o Establishment of effective safeguards as approved by HPC
o Development and implementation of Breach Notification process including a triage process for breach determination and application of a harm threshold framework
o Effective management of Business Associates Agreements (“BAA”)
Educate the HPC on
o The material risks to the privacy of protected health information
o An estimate of the likelihood of a breach occurring
o The level of potential damage should a breach occur
o Mitigating controls or safeguards
Make recommendations to the HPC for investments to reduce or eliminate risks
Provide frequent and effective updates to the HPC regarding:
o Regulatory Changes
o Incidents/Breaches including investigations and mitigating activities
o Privacy Audits
o Training Updates
o Non-compliance issues and sanctions
Include appropriate representation from affected functions for, and/or awareness of, program decisions
HPC Membership Membership of the HPC will be comprised of [YOUR COMPANY NAME] Privacy Officer, [YOUR COMPANY NAME] Security Officer and other appropriate cross-functional members of Senior and/or Executive Management, such as Information Management,
3 ©Clearwater Compliance LLC | All Rights Reserved |
[YOUR COMPANY NAME] HIPAA Privacy Program Charter-DRAFT
Operations, Administration, Legal, Finance, Human Resources and Quality. The HPC will be chaired by [YOUR COMPANY NAME]’s Risk Manager. (see Attachment A)
Privacy Program Working Group Membership The [YOUR COMPANY NAME] HIPAA Privacy Program Working Group will be comprised of [YOUR COMPANY NAME] Privacy Officer and designees from the HPC members and other appropriate members of senior and/or middle management with responsibilities for developing and/or implementing an effective Privacy Program. The Privacy Office will be chaired by the [YOUR COMPANY NAME] Privacy Officer. (see Attachment B)
Meetings Meetings of the HPC will be held monthly until ______, 2013 to ensure oversight of current initiatives, and at least quarterly thereafter. Ad hoc meetings may be called at any time by the HPC Chair. Minutes of the meetings will be maintained by the Privacy Officer.
HPC Standard Agenda
I. Approval of Minutes from Prior Minutes
II. Follow-up on any pending previous issues (HPC Co-Chair)
III. Update on new or revised Policies and Procedures
IV. Risk Analysis Update
V. Updates as appropriate regarding
a. Regulatory Changes
b. Incidents/Breaches including investigations and mitigating activities
c. Upcoming or Completed Privacy Audits
d. Training Updates (e.g. development of materials, legal review of training materials, schedule for training, % completion)
4 ©Clearwater Compliance LLC | All Rights Reserved |
[YOUR COMPANY NAME] HIPAA Privacy Program Charter-DRAFT
e. Non-compliance issues and sanctions
VI. Next Meeting Agenda
Revisions to the Charter
Revisions to any section of the HPC Charter can be made at any time that circumstances warrant or as recommended by the HPC Chair, and as approved by a majority of the Council members.
Attachment A
HPC Membership
Member Title Risk Manager (or Executive Sponsor)
Privacy Officer
Security Officer
Director of Clinical Operations
Director of Quality
Director of Human Resources
Director of Accreditation
Controller Chair will bring in Executive representation as needed
5 ©Clearwater Compliance LLC | All Rights Reserved |
[YOUR COMPANY NAME] HIPAA Privacy Program Charter-DRAFT
Attachment B
Privacy Program Working Group Membership
Member Title
Privacy Officer
Security Officer
Project Manager
IT Manager
HR Manager
Manager - Operations
Clinical Operations Manager Privacy Office Liaisons from multiple locations
Facility Manager
Chair will bring in Legal and other representation as needed.
6 ©Clearwater Compliance LLC | All Rights Reserved |