Implementing the remediation plan includes the development of appropriate policies and procedures to provide the overall direction for the controls.  Procedures spell out the details of how specific controls will be implemented. While security policies should be known by all members of your work force, some security procedures may need to be considered sensitive information. In this case, only a limited number of persons, with a “need-to-know”, should have access to procedures ( how to set passwords or the encryption methodology employed). While procedures may be sensitive and the number of staff with a need-to-know limited, there should always be more than one person who knows each procedure (backup) and no one person should know all procedures for all controls (separation of duties).

Carosh will review existing policies and procedures to assess appropriateness in addressing risk and security threats.  For those deficiencies addressed in the Security and Privacy Risk Assessment(s), we will develop the policies and procedures necessary to address these deficiencies tailored to your workflow and personnel.  Outsourcing the documentation development and preparation, especially when combined with the Security Risk Assessment, ensures a complete “Master Manual” that can be used by anyone in the practice to find procedures and forms to manage all aspects of HIPAA compliance.