Mapping guides

How FairWarning Fulfills on HIPAA

Issue link: https://www.fairwarning.com/insights/i/1104112

Contents of this Issue

Navigation

Page 1 of 23

2 Performance Criteria Privacy Audit Protocol Mapping Established Key Activity Audit Procedures FairWarning ® Patient Privacy Intelligence §164.530(d)(2) §164.530(d)(2) Implementation specification: Documentation of complaints. As required by paragraph (j) of this section, a covered entity must document all complaints received, and their disposition, if any. Complaints to the Covered Entity Has the covered entity documented all complaints received and their disposition consistent with the performance criteria? Obtain and review a sample of documentation of complaints for consistency with the established performance criterion. FairWarning® provides incident tracking and management via the Investigations section, allowing for full documentation of post-incident analyses, resolution, mitiga- tion, and other activities, including patient complaints Partial or Full Full FairWarning ® Mapping PPM §164.530(e)(1) §164.530(e)(1) Standard: Sanctions. A covered entity must have and apply appro- priate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of this subpart or subpart D of this part. This stan- dard does not apply to a member of the covered entity's workforce with respect to actions that are covered by and that meet the conditions of § 164.502(j) or paragraph (g)(2) of this section. Sanctions Does the covered entity apply appropriate sanctions against members of the workforce who fail to comply with the privacy policies and procedures of the entity or the Privacy Rule? Obtain and review policies and procedures to determine if the entity has and applies sanctions consistent with the established performance criterion. Obtain and review documentation of the application of sanctions to a sample of workforce members to determine whether appro- priate sanctions were applied. (Note: OCR is not looking for viola- tions in order to take enforcement action; we are restricting our analysis to whether appropriate sanctions consistent with the entity policies have been applied.) FairWarning® provides incident tracking and management via the Investigations section, allowing for full documentation of post-incident analyses, resolution, miti- gation, and other activities, including any sanctions. Partial or Full Partial (we cannot apply the sanctions) We can only provide a repository for docu- menting the resolution of violations FairWarning ® Mapping IM/GR §164.530(f) §164.530(f) Standard: Mitigation. A covered entity must mitigate, to the extent practi- cable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the require- ments of this subpart by the covered entity or its business associate. Mitigation Does the covered entity mitigate any harmful effect that is known to the covered entity of a use or disclosure of PHI by the covered entity or its business associate+A5:G50violation of its policies and procedures? Obtain and review policies and procedures in place for consistency with the established performance criterion. Determine whether a process is in place to ensure mitigation actions are taken pursuant to the policies and procedures. From a population of instances of non-compliance within the audit period, obtain and review documentation to determine whether mitigation plans were developed and applied pursuant to the poli- cies and procedures. [Note: OCR is not looking for violations in order to take enforcement action; we are restricting our analysis to whether appropriate mitigation plans consistent with the entity poli- cies have been developed and applied] Obtain and review documentation that the policies and procedures are conveyed to the workforce. FairWarning® provides incident tracking and management via the Investigations section, allowing for full documentation of post-incident analyses, resolution, miti- gation, and other activities, including any sanctions. Partial or Full Partial- We can provide the documentation and tracking for mitigation. FairWarning ® Mapping PPM

Articles in this issue

view archives of Mapping guides - How FairWarning Fulfills on HIPAA