Page 1
AMC/HIPAA Workgroup
ix
Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau Vermieterrechtsschutz Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich
tableofcontents.htm   start.htm   securitysectiontwo.htm   securitysectionthree.htm   securitysectionone.htm   securitycategories.htm   references.htm   privacysectiontwo.htm   privacysectionthree.htm   privacysectionone.htm   privacysectionfour.htm   privacysectionfive.htm   privacycategories.htm   jobdescriptions.htm   introduction.htm   index.htm   hipaatrifold.htm   hipaasuppliment.htm   hipaaresources.htm   hipaaexecsummary.htm   guidelinesorganization.htm   generalpolicyguidelines.htm   generalcategories.htm   definitions.htm   contractsandpolicies.htm   contact.htm   amchipaasecurityandprivacyguidelines.htm   acronyms.htm   acknowledgements.htm  
Contents
Abstract ...........................................................................................................................................ii
Executive Summary .......................................................................................................................iv
Contents..........................................................................................................................................ix
Introduction .....................................................................................................................................1
Purpose........................................................................................................................................2
Scope ...........................................................................................................................................2
Background .................................................................................................................................3
Acknowledgements .....................................................................................................................3
Updates and Errata ......................................................................................................................6
AMC Guidelines .............................................................................................................................7
Organization of the Guidelines ...................................................................................................7
AMC HIPAA Security Guidelines..............................................................................................9
Section One: Requirements for Security Administration...................................................9
SEC.01 Certification § .308(a)(1) ..............................................................................10
SEC.02 Chain of Trust Partner Agreement § .308(a)(2)............................................ 12
SEC.03 Contingency Planning § .380 (a)(3)..............................................................14
SEC.04 Formal Mechanism for Processing Records § .308(a)(4) .............................16
SEC.05 Information Access and Control § .308(a)(5)............................................... 17
SEC.06 Internal Audit § .308(a)(6)............................................................................ 19
SEC.07 Personnel Security § .308(a)(7) .................................................................... 21
SEC.08 Security Configuration Management § .308(a)(8)........................................23
SEC.09 Security Incident Procedures § .308(a)(9) .................................................... 25
SEC.10 Security Management Process § .308(a)(10)...............................................27
SEC.11 Termination Procedures § .308(a)(11).......................................................... 30
SEC.12 Security Training § .308(a)(12) ...................................................................32
Section Two: Requirements for Physical Safeguards ......................................................35
SEC.13 Assigned Security Responsibility § .308(b)(1)............................................. 36
SEC.14 Media Controls § .308(b)(2) .........................................................................38
SEC.15 Physical access controls § .308(b)(3)............................................................ 41
SEC.16 Policy/guideline on workstation use § .308(b)(4).........................................44
SEC.17 Secure work station location § .308(b)(5).................................................... 46
SEC.18 Security Awareness training § .308(b)(6).....................................................48
Section Three: Requirements for Technical Security, Services, and Mechanisms..........49
SEC.19 Access Control § .308(c)(1)(i) ......................................................................50
SEC.20 Audit Controls § .308(c)(1)(ii)...................................................................... 52
SEC.21 Authorization Control § .308 (c)(3)..............................................................54
SEC.22 Data Authentication § .308 (c)(4) .................................................................55
SEC.23 Entity Authentication § .308 (c)(5)...............................................................56
SEC.24 Communications/network controls § .308(d) ...............................................58
AMC HIPAA Privacy Guidelines.............................................................................................61
Section One: Covered Entities .........................................................................................65
PRIV.01 Health care component §164.504(b)........................................................... 66
PRIV.02 Affiliated covered entities §164.504(d) ......................................................68
PRIV.03 Business associate contracts §164.504(e)(1)...............................................70
Page 2
AMC/HIPAA Workgroup
x
PRIV.04 Requirements for group health plans §164.504(f)(1).................................. 74
PRIV.05 Requirements for a covered entity with multiple covered functions
§ 164.504(g) ..................................................................................................................78
PRIV.06 Group health plans § 164.530(k).................................................................80
Section Two: Consent and Authorization ........................................................................81
PRIV.07 Consent requirement § 164.506(a)..............................................................82
PRIV.08 Resolving conflicting consents and authorizations § 164.506(e)................86
PRIV.09 Joint consents § 164.506(f) .........................................................................88
PRIV.10 Authorizations for uses and disclosures § 164.508(a) ................................ 90
PRIV.11 Right of an individual to request restriction of uses and disclosures
§ 164.522(a)(1)..............................................................................................................96
PRIV.12 Effect of prior consents and authorizations § 164.532(a) ...........................98
Section Three: Uses and disclosures .............................................................................. 101
Sub-Section A: General Uses and Disclosures ..........................................................102
PRIV.13 Uses and disclosures of protected heath information § 164.502(a) .........103
PRIV.14 Uses and disclosures of protected health information subject to an agreed-
upon restriction § 164.502(c) ......................................................................................105
PRIV.15 Uses and disclosures of de-identified protected health information
§ 164.502(d) ................................................................................................................107
PRIV.16 Disclosures to business associates § 164.502(e).......................................108
PRIV.17 Deceased individuals § 164.502(f)............................................................ 110
PRIV.18 Personal representatives § 164.502(g) ......................................................111
PRIV.19 Confidential communications § 164.502(h).............................................. 113
PRIV.20 Uses and disclosures consistent with notice § 164.502(i)........................114
PRIV.21 Disclosures by whistleblowers and workforce member crime victims
§ 164.502(j) .................................................................................................................115
PRIV.22 Use and disclosure for facility directories § 164.510(a) ...........................117
PRIV.23 Uses and disclosures for involvement in the individual's care and
notification purposes § 164.510(b) .............................................................................119
PRIV.24 Uses and disclosures of protected health information for marketing
§ 164.514(e)(1)............................................................................................................121
PRIV.25 Uses and disclosures for fundraising § 164.514(f)(1)...............................123
PRIV.26 Uses and disclosures for underwriting and related purposes § 164.514(g)125
Sub-Section B: Balancing Privacy and Public Responsibility................................... 126
PRIV.27 Uses and disclosures required by law § 164.512(a).................................. 127
PRIV.28 Uses and disclosures for public health activities § 164.512(b)................. 128
PRIV.29 Disclosures about victims of abuse, neglect, or domestic violence
§ 164.512(c) ................................................................................................................130
PRIV.30 Uses and disclosures for health oversight activities § 164.512(d)............ 132
PRIV.31 Disclosures for judicial and administrative proceedings § 164.512(e)..... 134
PRIV.32 Disclosures for law enforcement purposes § 164.512(f) ..........................137
PRIV.33 Uses and disclosures about decedents § 164.512(g) .................................141
PRIV.34 Uses and disclosures for cadaveric organ, eye, or tissue donation purposes
§ 164.512(h) ................................................................................................................143
PRIV.35 Uses and disclosures for research purposes § 164.512(i) .........................144
Page 3
AMC/HIPAA Workgroup
xi
PRIV.36 Uses and disclosures to avert a serious threat to health or safety
§ 164.512(j) .................................................................................................................148
PRIV.37 Uses and disclosures for specialized government functions § 164.512(k)150
PRIV.38 Disclosures for workers' compensation § 164.512(l) ............................... 153
PRIV.39 Minimum necessary § 164.502(b) ............................................................154
PRIV.40 De-identification of protected health information § 164.514 (a) .............. 156
PRIV.41 Minimum necessary requirements § 164.514(d)(1)..................................160
PRIV.42 Verification requirements § 164.514(h)(1) ...............................................163
Section Four: Consumer Controls.................................................................................. 166
PRIV.43 Notice of privacy practices § 164.520(a) .................................................. 167
PRIV.44 Confidential communications requirements § 164.522(b)(1) ...................173
PRIV.45 Access to protected health information § 164.524(a) ...............................175
PRIV.46 Right to amend § 164.526(a).....................................................................181
PRIV.47 Right to an accounting of disclosures of protected health information
§ 164.528(a) ................................................................................................................185
Section Five: Administrative requirements....................................................................189
PRIV.48 Privacy Official § 164.530(a)(1)(i) ...........................................................190
PRIV.49 Privacy Contact Person or Office § 164.530(a)(1)(ii)...............................192
PRIV.50 Training on Privacy § 164.530(b)(1) ........................................................194
PRIV.51 Safeguards § 164.530(c)(1)......................................................................196
PRIV.52 Complaints to the covered entity § 164.530(d)(1) ....................................198
PRIV.53 Sanctions § 164.530(e)(1) .........................................................................200
PRIV.54 Mitigation § 164.530(f)............................................................................. 202
PRIV.55 Refraining from intimidating or retaliatory acts § 164.530(g).................. 204
PRIV.56 Waiver of rights § 164.530(h)...................................................................206
PRIV.57 Policies and procedures § 164.530(i)(1) ...................................................207
PRIV.58 Changes to policies or procedures § 164.530(i)(2) ...................................208
PRIV.59 Documentation § 164.530(j) .....................................................................211
General Policy and Management Guidelines..........................................................................213
GEN.01 Roles and Responsibilities in Development and Maintenance ..................214
GEN.02 Organizational Support for HIPAA Security and Privacy Compliance........216
GEN.03 Resources for Development and Maintenance........................................... 217
GEN.04 Evaluation and Monitoring of Development and Maintenance .................218
GEN.05 Reasonableness .......................................................................................... 219
GEN.06 Scalability...................................................................................................220
GEN.07 Limiting Liability Arising from Compliance.............................................221
GEN.08 HIPAA
Accreditation
Intersections ........................................................... 222
GEN.09 Stricter State Law § 160.203......................................................................223
GEN.10 Policy establishment and modification ...................................................... 225
GEN.11 Policy
Usage
Introduction..........................................................................226
GEN.12 Privacy
Culture ..........................................................................................227
GEN.13 Digital
Signature ........................................................................................228
GEN.14 Other Federal Law and HIPAA Privacy ....................................................231
Acronyms ....................................................................................................................................234
Definitions of Terms Used in this Guideline ..............................................................................235
References ...................................................................................................................................243
Page 4
AMC/HIPAA Workgroup
xii
Privacy Standards....................................................................................................................245
TABLES
Table 1. Mapping of Privacy Standards to AMC Guidelines ......................................................61