“If it’s not documented, it’s not done.”
The importance of having well-written policies and procedures cannot be overstated. Policies define expectations, responsibilities, and procedures to follow. Governance, the assignment of oversight, and management responsibilities are contained in the privacy, breach notification, and information security policies and procedures.
Proof of compliance is evidence-based which implies that policies, procedures, plans, forms, standards, etc., need to be in place to demonstrate compliance. During an audit, the auditor will assess the alignment of the three “P’s” – Perceptions, Policies, and Practices!
tw-Security recommends conducting a high-level review of existing privacy, security, and breach notification policies which results in a short report of general findings and recommendations. Frequently, we find that current policies and standards may exist; however, some may be outdated or do not accurately reflect current practices. Consequently, the review helps us know where to focus efforts: remediate or create new.
We write policies and procedures for targeted groups of readers and cross-referenced to applicable frameworks, standards, and regulations.
The most efficient way to amend the policies and procedures is to have knowledge of the information security and privacy program. Two critical areas inform the policies – the risk analysis that identifies safeguards and controls, and the results of an evaluation of compliance with HIPAA or other regulations. We utilize our collection of customizable templates to create new, framework-based privacy, breach notification, and information security policies. Our policies and procedures are “right-sized” and uniquely tailored for an organization.
We organize policies in three groups for the targeted reader.
1. Workforce Policies
Organizational-wide policies written for employees and workforce members containing the pertinent policy statements and procedures for information security, privacy, and breach notification.
2. IT Security Policies and Procedures
The IT Security Manual is a collection of policies and procedures for the information services staff and application and system administrators. The manual establishes policies and procedures for appropriately protecting information resources from accidental or intentional unauthorized use, modification, disclosure, or destruction. Adherence to the information security policies safeguards the confidentiality, integrity, and availability of your information. We can cross-reference the policies to relevant frameworks, standards, and regulations for your organization. Examples include:
- HIPAA Security Rule
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), the primary publication of the Cybersecurity Act of 2015, Section 405(d)
- Joint Commission
- NIST Cybersecurity Framework
- The General Data Protection Regulation (GDPR)
- ISO 27001
- HITRUST Common Security Framework (CSF)
3. Privacy and Breach Notification Policies and Procedures
The Privacy and Breach Notification Manual provides a comprehensive risk-based and compliance approach to protecting the various types of confidential information. The Manual is a collection of policies and procedures written for the Privacy Officer, Compliance Officer, and HIM Department. We can cross-reference the policies to relevant frameworks, standards, and regulations, such as:
- HIPAA Privacy Rule
- Breach Notification and Sanction Requirements
- The General Data Protection Regulation (GDPR)
- FERPA (Title 34, Subtitle A, Chapter I, Part 99)
- HITRUST Common Security Framework (CSF)
- Alignment with state requirements, e.g. California Consumer Privacy Act of 2018 (CCPA), Security, Privacy, and Breach Notification Washington State’s Office of the CIO and Data Share Agreements