Policies and Procedures
Course Project – Privacy Officer Assessment
The objective of the course project is to tie together all TCO’s in a comprehensive manner, while giving students the chance to take on the role of Privacy Officer.
For your course project, you will play the role of a Privacy Officer. You have been asked by management to develop the content of an organization’s security and privacy training and awareness program. You will select privacy and security topics that need to be communicated to all workforce members and develop a plan.
Medical Center of DeVry is a leading healthcare organization, specializing in pediatric healthcare with an expanded network of physicians and pediatric specialists. It is the beginning of the fiscal budgetary year, and all assessments, improvement projects and proposals are due within the next 30 days. As the Privacy Officer you will have to create a Privacy and Security Plan. This process will consist of three components an assessment of the organization, a training and awareness program, and a communication plan.
The purpose of the assessment is to review the current condition and effectiveness of your Privacy and Security program, in order to move forward with HIPAA’s Privacy and Security requirements.
Once the assessment is complete, you will use the results to make a decision about improvement tools, and create a training and awareness plan. The purpose of the training and awareness plan is to bring awareness to the organization for a collaborative effort in improving Privacy and Security of the facility. Preferably, this would be areas that need special attention, such as issues related to HIPAA compliance including physical safeguards.
Once both the assessment and training and awareness plans are complete, you will then need to develop communication tools to convey to the rest of the organization.
You have completed your assessment and found that several policies are out of date or are missing critical elements. You have submitted a plan to management who has approved your proposed actions to create two new policies, two reporting tools to ensure easy compliance with the new policies, and your plan to train employees on the new policies and tools. Following the directions below, create the new policies, reporting tools, and inform staff of training. Once you have completed these three elements, compile all the information into a fifteen minute presentation which you will give to management discussing your overall findings, policies, tools, and training conducted.
Based on your review, you have determined that specific polices relating to incident reporting and physical safeguards needed revising. Develop two separate policies using the template below to address the following topics.
1. Incident Reporting
a. Address what types of incidents should be reported to include:
1. Inappropriate use of computer
2. Release of Information to patients and outside agencies/individuals without authorization
b. Address the expectations for reporting to include:
1. Time-frame in which employees need to report
2. How employees will report
c. Outline the procedures for reporting incidents to include:
1. Who receives complaints
2. How complaints are investigated
3. How notification to affected individuals occurs
2. Physical Safeguards
a. Securing workstations to include:
1. Auto-lock feature
2. Securing equipment, such as laptops
b. Record disposal to include:
1. Electronic media such as hard drives and CD’s
2. Paper documents
3. Use the following template.
Medical Center of DeVry
Last Updated: Today’s Date
Purpose: (What the policy is addressing)
Requirements: (What are the processes to follow and who do they apply to?)
Procedures: (What steps does the organization need to follow to ensure the requirements are met)
Special Circumstances: (Is there any issue where the policy may not apply)
B: Reporting Tools
After completing the policies and procedures, you determine that it will be useful to develop some new tools to reinforce compliance of the revised policies and procedures.
Your reporting tools should consist of:
1. An incident reporting form which should include the following elements:
a. Date of Incident
b. Type of Complaint/Incident
c. Complaint Details
d. Staff Questioned/Involved
2. A checklist for security staff to use for audits and compliance which should include the following elements:
a. Document disposal
b. Media disposal
c. Unsecured workstations