npm - bmad-plus - Versions diffs - 0.4.4 → 0.6.0 - Mend

bmad-plus 0.4.4 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (197) hide show

package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md ADDED Viewed

@@ -0,0 +1,568 @@
+# HIPAA Document Templates Reference
+---
+## Table of Contents
+1. [Notice of Privacy Practices (NPP)](#1-notice-of-privacy-practices-npp)
+2. [Business Associate Agreement (BAA)](#2-business-associate-agreement-baa)
+3. [HIPAA Privacy Policy (Internal)](#3-hipaa-privacy-policy-internal)
+4. [HIPAA Authorization Form](#4-hipaa-authorization-form)
+5. [Workforce Training Acknowledgment](#5-workforce-training-acknowledgment)
+6. [Security Incident Report Form](#6-security-incident-report-form)
+7. [Breach Risk Assessment Template](#7-breach-risk-assessment-template)
+8. [Risk Analysis Template](#8-risk-analysis-template)
+9. [HIPAA Compliance Checklist](#9-hipaa-compliance-checklist)
+---
+## 1. Notice of Privacy Practices (NPP)
+> Required for all Covered Entities. Must be in plain language.
+```
+NOTICE OF PRIVACY PRACTICES
+[ORGANIZATION NAME]
+Effective Date: [EFFECTIVE DATE]
+THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND
+DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
+PLEASE REVIEW IT CAREFULLY.
+─────────────────────────────────────────
+OUR PLEDGE REGARDING YOUR HEALTH INFORMATION
+─────────────────────────────────────────
+[ORGANIZATION NAME] is committed to protecting the privacy of your health
+information ("Protected Health Information" or "PHI"). We are required by law to:
+• Maintain the privacy of your PHI
+• Provide you with this notice of our legal duties and privacy practices
+• Notify you if there is a breach of your unsecured PHI
+• Abide by the terms of this notice
+─────────────────────────────────────────
+HOW WE MAY USE AND DISCLOSE YOUR PHI  // 45 CFR §164.520(b)(1)(ii)
+─────────────────────────────────────────
+FOR TREATMENT: We may use or disclose your PHI to coordinate or manage your
+healthcare. Example: We share your records with a specialist we refer you to.
+FOR PAYMENT: We may use or disclose your PHI to bill and receive payment for
+services. Example: We send your diagnosis and procedure codes to your insurer.
+FOR HEALTH CARE OPERATIONS: We may use or disclose your PHI to run our
+organization. Example: We review records to assess quality of care.
+OTHER PERMITTED USES AND DISCLOSURES (without your authorization):
+• As required by law
+• For public health activities (reporting communicable diseases, FDA reporting)
+• For health oversight activities (government audits, inspections)
+• For law enforcement purposes (limited, as required by law)
+• To avert a serious threat to health or safety
+• For workers' compensation
+• [Add others applicable to your organization]
+─────────────────────────────────────────
+USES AND DISCLOSURES REQUIRING YOUR WRITTEN AUTHORIZATION
+// 45 CFR §164.508
+─────────────────────────────────────────
+We will ask for your written authorization before using or disclosing your PHI for:
+• Psychotherapy notes (with limited exceptions)
+• Marketing purposes
+• Sale of your PHI
+• Any other use or disclosure not described in this Notice
+You may revoke your authorization at any time in writing.
+─────────────────────────────────────────
+YOUR RIGHTS REGARDING YOUR PHI  // 45 CFR §164.520(b)(1)(iv)
+─────────────────────────────────────────
+RIGHT TO ACCESS: You have the right to inspect and receive a copy of your PHI.
+To request access, contact: [CONTACT INFORMATION]. We will respond within 30 days.
+A reasonable fee may apply.  // 45 CFR §164.524
+RIGHT TO AMEND: You have the right to request a correction to your PHI.
+We may deny your request in certain circumstances.  // 45 CFR §164.526
+RIGHT TO AN ACCOUNTING OF DISCLOSURES: You have the right to receive a list of
+disclosures of your PHI made in the past 6 years (excluding TPO and certain
+other disclosures).  // 45 CFR §164.528
+RIGHT TO REQUEST RESTRICTIONS: You may request we restrict uses/disclosures
+of your PHI. We are not required to agree, EXCEPT: if you pay out-of-pocket in
+full for a service and request we not share with your health plan, we must honor
+that restriction.  // 45 CFR §164.522(a)
+RIGHT TO CONFIDENTIAL COMMUNICATIONS: You may request we contact you by
+alternative means or locations.  // 45 CFR §164.522(b)
+RIGHT TO RECEIVE THIS NOTICE: You have the right to a paper copy of this
+Notice at any time.
+─────────────────────────────────────────
+OUR DUTIES  // 45 CFR §164.520(b)(1)(v)
+─────────────────────────────────────────
+We are required to abide by the terms of this Notice. We reserve the right to
+change our privacy practices and this Notice. If we make a material change, we
+will provide a revised Notice.
+─────────────────────────────────────────
+COMPLAINTS  // 45 CFR §164.520(b)(1)(vi)
+─────────────────────────────────────────
+If you believe your privacy rights have been violated, you may file a complaint
+with us or with the U.S. Department of Health and Human Services Office for Civil
+Rights. We will not retaliate against you for filing a complaint.
+To file with us: [CONTACT NAME, TITLE, ADDRESS, PHONE, EMAIL]
+To file with HHS: www.hhs.gov/ocr/privacy/hipaa/complaints/
+─────────────────────────────────────────
+CONTACT US
+─────────────────────────────────────────
+Privacy Official: [NAME AND TITLE]
+[ADDRESS]
+[PHONE NUMBER]
+[EMAIL ADDRESS]
+```
+---
+## 2. Business Associate Agreement (BAA)
+> Required before sharing PHI with any vendor/partner who will create, receive, maintain, or transmit PHI on your behalf.
+```
+BUSINESS ASSOCIATE AGREEMENT
+This Business Associate Agreement ("Agreement") is entered into as of [DATE]
+by and between:
+[COVERED ENTITY / BUSINESS ASSOCIATE NAME] ("Covered Entity" / "Business Associate")
+[ADDRESS]
+and
+[BUSINESS ASSOCIATE NAME] ("Business Associate")
+[ADDRESS]
+RECITALS
+Business Associate performs [DESCRIPTION OF SERVICES] for Covered Entity
+("Services") pursuant to [UNDERLYING SERVICES AGREEMENT, if applicable].
+In connection with these Services, Business Associate may create, receive,
+maintain, or transmit Protected Health Information ("PHI") on behalf of
+Covered Entity.
+DEFINITIONS  // 45 CFR §164.304
+Terms used but not otherwise defined shall have the same meaning as under
+the HIPAA Rules (45 CFR Parts 160 and 164).
+1. OBLIGATIONS OF BUSINESS ASSOCIATE  // 45 CFR §164.504(e)(2)
+1.1 Use and Disclosure Limitations. Business Associate shall not use or
+disclose PHI other than as permitted or required by this Agreement or as
+Required by Law.
+1.2 Permitted Uses and Disclosures. Business Associate may:
+(a) Use and disclose PHI as necessary to perform the Services;
+(b) Use PHI for Business Associate's proper management and administration;
+(c) Disclose PHI for Business Associate's proper management and administration
+    if Required by Law or if Business Associate obtains reasonable assurances
+    of confidential handling and prompt notification of any breaches.
+1.3 Safeguards. Business Associate shall implement and maintain appropriate
+administrative, physical, and technical safeguards that reasonably and
+appropriately protect the confidentiality, integrity, and availability of
+ePHI in accordance with 45 CFR §§164.308, 164.310, 164.312, and 164.316.
+1.4 Subcontractors. Business Associate shall require any subcontractors that
+create, receive, maintain, or transmit PHI on behalf of Business Associate
+to execute a written agreement imposing the same conditions as this Agreement.
+// 45 CFR §164.308(b)(2)
+1.5 Reporting. Business Associate shall report to Covered Entity:
+(a) Any Breach of Unsecured PHI without unreasonable delay and within 60 days
+    of discovery;  // 45 CFR §164.410
+(b) Any Security Incident of which it becomes aware, including unsuccessful
+    attempts;  // 45 CFR §164.314(a)(2)(i)(C)
+(c) Any use or disclosure not provided for by this Agreement.
+1.6 Access. Business Associate shall make available PHI to Covered Entity
+as necessary to satisfy Covered Entity's obligations under 45 CFR §164.524.
+1.7 Accounting. Business Associate shall document disclosures to enable
+Covered Entity to respond to requests under 45 CFR §164.528.
+1.8 HHS Access. Business Associate shall make internal practices, books, and
+records relating to PHI available to HHS for determining compliance.
+1.9 Return or Destruction. Upon termination, Business Associate shall return
+or destroy all PHI, if feasible. If not feasible, protections must extend
+beyond termination.
+2. OBLIGATIONS OF COVERED ENTITY
+2.1 Covered Entity shall notify Business Associate of:
+(a) Limitations on uses/disclosures in the Notice of Privacy Practices;
+(b) Changes in, or revocation of, authorization;
+(c) Restrictions on uses/disclosures agreed to with individuals.
+3. TERM AND TERMINATION
+3.1 Term. This Agreement is effective as of [DATE] and terminates when the
+underlying Services Agreement terminates, or as provided herein.
+3.2 Termination for Cause. Either party may terminate this Agreement if the
+other party has materially violated a provision and has not cured within 30
+days of written notice.
+3.3 Effect of Termination. Obligations survive termination with respect to
+PHI retained by Business Associate.
+4. MISCELLANEOUS
+4.1 Regulatory References. Regulatory references include any amendments.
+4.2 Interpretation. Any ambiguity shall be resolved to permit compliance
+with HIPAA Rules.
+4.3 Amendment. The parties agree to amend this Agreement as necessary to
+comply with changes in law.
+IN WITNESS WHEREOF, the parties have executed this Agreement as of the date
+first written above.
+[COVERED ENTITY NAME]                    [BUSINESS ASSOCIATE NAME]
+By: ___________________________          By: ___________________________
+Name: _________________________          Name: _________________________
+Title: ________________________          Title: ________________________
+Date: _________________________          Date: _________________________
+```
+---
+## 3. HIPAA Privacy Policy (Internal)
+```
+HIPAA PRIVACY POLICY
+[ORGANIZATION NAME]
+Policy Number: [NUMBER]    Effective Date: [DATE]    Review Date: [DATE]
+Approved By: [NAME/TITLE]
+PURPOSE
+This policy establishes [ORGANIZATION NAME]'s commitment to protecting the
+privacy of Protected Health Information (PHI) in accordance with HIPAA.
+SCOPE
+Applies to all workforce members, volunteers, trainees, contractors, and
+business associates who access, use, or disclose PHI.
+POLICY STATEMENTS
+1. MINIMUM NECESSARY  // 45 CFR §164.502(b)
+   Workforce members shall access only the minimum PHI necessary to perform
+   their job functions. Accessing PHI out of curiosity or for personal
+   reasons is strictly prohibited.
+2. PERMISSIBLE USES AND DISCLOSURES  // 45 CFR §164.502
+   PHI may be used or disclosed for Treatment, Payment, and Operations (TPO)
+   without individual authorization. All other uses require authorization
+   except as outlined in this policy and applicable law.
+3. SAFEGUARDS  // 45 CFR §164.530(c)
+   All workforce members must:
+   • Log out of or lock workstations when leaving them unattended
+   • Use only assigned credentials; never share passwords
+   • Report lost or stolen devices immediately to [CONTACT]
+   • Dispose of PHI (paper and electronic) using approved methods only
+   • Not access PHI from unsecured public networks without VPN
+4. PRIVACY COMPLAINTS  // 45 CFR §164.530(d)
+   Individuals may submit privacy complaints to [PRIVACY OFFICIAL, CONTACT].
+   All complaints will be documented and investigated. No retaliation.
+5. WORKFORCE SANCTIONS  // 45 CFR §164.530(e)
+   Violations of this policy may result in disciplinary action up to and
+   including termination, and may be reported to appropriate authorities.
+6. TRAINING  // 45 CFR §164.530(b)
+   All workforce members must complete HIPAA Privacy training:
+   • Upon hire (within [X] days)
+   • Annually thereafter
+   • When material policy changes occur
+   Completion must be documented.
+RELATED POLICIES
+- HIPAA Security Policy
+- Breach Notification Policy
+- Acceptable Use Policy
+REVISION HISTORY
+[DATE] | [VERSION] | [CHANGE DESCRIPTION] | [AUTHOR]
+```
+---
+## 4. HIPAA Authorization Form
+```
+AUTHORIZATION FOR USE OR DISCLOSURE OF HEALTH INFORMATION
+// 45 CFR §164.508
+Patient Name: _________________________ Date of Birth: _____________
+Medical Record #: _____________________ SSN (last 4): ______________
+1. INFORMATION TO BE DISCLOSED
+   Description of information: ____________________________________
+   Date range: From _____________ To _____________
+   □ All records    □ Specific records: ___________________________
+2. AUTHORIZED BY (person authorizing disclosure):
+   □ Patient    □ Personal Representative
+   Name: _________________________ Relationship: _________________
+   Address: _____________________________________________________
+3. DISCLOSED TO (recipient):
+   Name/Organization: ___________________________________________
+   Address: _____________________________________________________
+   Phone: _______________________________________________________
+4. PURPOSE OF DISCLOSURE:
+   □ Continuing care    □ Personal use    □ Legal matter
+   □ Insurance          □ Other: ______________________________
+5. EXPIRATION
+   □ Specific date: _____________
+   □ Upon occurrence of: ________________________________________
+6. YOUR RIGHTS
+   • You may refuse to sign this authorization. Refusal will not affect
+     your ability to receive treatment EXCEPT: [describe any conditioning].
+   • You may revoke this authorization at any time by writing to
+     [CONTACT]. Revocation does not affect prior disclosures.
+   • Information disclosed may be re-disclosed by the recipient and
+     may no longer be protected by HIPAA.
+Signature: _____________________________ Date: __________________
+If Personal Representative:
+Description of authority: ________________________________________
+```
+---
+## 5. Workforce Training Acknowledgment
+```
+HIPAA WORKFORCE TRAINING ACKNOWLEDGMENT
+I, _________________________, acknowledge that I have:
+□ Received and read [ORGANIZATION NAME]'s HIPAA Privacy and Security Policies
+□ Completed HIPAA Privacy and Security training on [DATE]
+□ Training covered by: □ In-person □ Online module □ Video □ Other: ____
+I understand that:
+• I must protect the privacy and security of all PHI I access in my work
+• I may only access PHI that is necessary for my job duties
+• I must report potential privacy/security violations to [CONTACT]
+• Violations may result in disciplinary action up to termination
+Employee Name (print): _________________________________________
+Employee Signature: ___________________________________________
+Date: ________________
+Job Title: __________________________________________________
+Department: ________________________________________________
+Manager/Trainer Signature: ___________________________________
+Date: ________________
+```
+---
+## 6. Security Incident Report Form
+```
+SECURITY INCIDENT REPORT  // 45 CFR §164.308(a)(6)
+[ORGANIZATION NAME] — CONFIDENTIAL
+Report Date: _________________  Incident #: ___________________
+Reported By: _________________  Department: __________________
+Date/Time Discovered: ___________________________________________
+INCIDENT DESCRIPTION
+Type: □ Unauthorized access  □ Theft/Loss  □ Malware  □ Misdirected
+      □ Phishing  □ Unauthorized disclosure  □ Other: ____________
+Systems/Media Involved: _________________________________________
+PHI Involved: □ Yes  □ No  □ Unknown
+If yes, describe PHI types: ____________________________________
+Estimated # individuals affected: ______________________________
+IMMEDIATE ACTIONS TAKEN
+□ Systems isolated  □ Passwords changed  □ Law enforcement notified
+□ IT Security notified  □ Privacy Officer notified
+Actions description: ___________________________________________
+BREACH RISK ASSESSMENT  (see Breach Risk Assessment Template)
+Outcome: □ Reportable Breach  □ Not a Reportable Breach
+Rationale: ____________________________________________________
+IF REPORTABLE BREACH — NOTIFICATION STATUS
+Individual notification date: __________________________________
+HHS notification date: ________________________________________
+Media notification (if 500+): _________________________________
+ROOT CAUSE ANALYSIS
+Root cause: ___________________________________________________
+Corrective actions: ___________________________________________
+Privacy/Security Officer Signature: ____________________________
+Date: _________________
+```
+---
+## 7. Breach Risk Assessment Template
+```
+BREACH RISK ASSESSMENT  // 45 CFR §164.402
+[ORGANIZATION NAME] — CONFIDENTIAL — ATTORNEY-CLIENT PRIVILEGED
+Incident #: ___________________  Date of Assessment: ____________
+Assessor(s): __________________________________________________
+FACTOR 1: Nature and Extent of PHI Involved
+PHI types involved: ____________________________________________
+Identifiers included: □ Name  □ DOB  □ SSN  □ MRN  □ Diagnosis
+                      □ Treatment  □ Financial  □ Other: _________
+Quantity of records: ________________
+Risk assessment: □ High  □ Medium  □ Low
+Rationale: ____________________________________________________
+FACTOR 2: Unauthorized Person(s)
+Recipient(s): _________________________________________________
+Type: □ CE/BA employee  □ Other CE/BA  □ Member of public  □ Unknown
+      □ Known malicious actor
+Risk assessment: □ High  □ Medium  □ Low
+Rationale: ____________________________________________________
+FACTOR 3: PHI Actually Acquired or Viewed
+Evidence of access: ____________________________________________
+Recipient response (if obtained): ______________________________
+Technical evidence: ____________________________________________
+Risk assessment: □ High  □ Medium  □ Low
+Rationale: ____________________________________________________
+FACTOR 4: Mitigation
+Steps taken: □ PHI retrieved/destroyed  □ Credible assurance obtained
+             □ Confidentiality agreement signed  □ Other: ________
+Documentation of mitigation: ___________________________________
+Risk assessment: □ High  □ Medium  □ Low
+Rationale: ____________________________________________________
+OVERALL DETERMINATION
+□ LOW probability of compromise → Not a reportable breach
+□ Cannot demonstrate low probability → REPORTABLE BREACH
+Overall rationale: ____________________________________________
+Signatures:
+Privacy Officer: _________________________  Date: ______________
+Legal Counsel: __________________________  Date: ______________  (recommended)
+```
+---
+## 8. Risk Analysis Template
+```
+SECURITY RISK ANALYSIS  // 45 CFR §164.308(a)(1)(ii)(A)
+[ORGANIZATION NAME]
+Date: _______________  Version: ____________  Conducted by: ______________
+Review Date: _______________
+SCOPE
+ePHI Systems and Assets Covered:
+□ EHR/EMR System: _______________________________________________
+□ Practice Management System: __________________________________
+□ Billing Systems: _____________________________________________
+□ Email Systems: _______________________________________________
+□ Portable Devices (laptops, tablets, mobile): _________________
+□ Backup/Disaster Recovery Systems: ___________________________
+□ Cloud Storage/Services: _____________________________________
+□ Physical Servers: ____________________________________________
+□ Other: ______________________________________________________
+RISK ASSESSMENT TABLE
+(Complete one row per identified threat/vulnerability pair)
+| Threat | Vulnerability | Likelihood (H/M/L) | Impact (H/M/L) | Risk Level | Current Controls | Residual Risk | Action Required |
+|--------|--------------|-------------------|----------------|------------|-----------------|---------------|----------------|
+| Ransomware | No offsite backup | H | H | HIGH | Daily local backup | HIGH | Implement offsite/cloud backup |
+| ... | ... | ... | ... | ... | ... | ... | ... |
+RISK MANAGEMENT PLAN
+Priority remediations based on HIGH risk items:
+1. ____________________________________________________________
+2. ____________________________________________________________
+3. ____________________________________________________________
+Authorization:
+Security Official: ______________________  Date: ______________
+Executive Sponsor: ______________________  Date: ______________
+```
+---
+## 9. HIPAA Compliance Checklist
+```
+HIPAA COMPLIANCE QUICK CHECKLIST
+[ORGANIZATION NAME]  |  Date: _______________  |  Assessor: _______________
+PRIVACY RULE
+□ Privacy Official designated and active
+□ Notice of Privacy Practices current and distributed
+□ Patients receive NPP at first service; acknowledgment documented
+□ Written authorization obtained where required
+□ Minimum necessary standard enforced (role-based access)
+□ Patient rights process in place (access, amendment, accounting, restrictions)
+□ BAAs in place with all vendors who handle PHI
+□ Privacy complaint process documented
+□ Workforce training current and documented
+□ Sanction policy implemented
+SECURITY RULE
+□ Security Official designated
+□ Risk Analysis completed and current
+□ Risk Management Plan in place
+□ Unique user IDs (no shared logins)
+□ MFA implemented for ePHI access
+□ Encryption at rest (AES-256)
+□ Encryption in transit (TLS 1.2+)
+□ Audit logging enabled and reviewed regularly
+□ Automatic session timeout configured
+□ Anti-malware protection current
+□ Media disposal procedures in place
+□ Contingency / disaster recovery plan tested
+□ Workforce security training current
+□ BAAs include security requirements
+BREACH NOTIFICATION
+□ Breach response plan documented
+□ Workforce knows how to report incidents
+□ Incident log maintained
+□ Risk assessment process in place
+□ HHS annual log maintained (< 500 breaches)
+□ Individual notification templates ready
+DOCUMENTATION
+□ All policies/procedures current and accessible
+□ Training records maintained (6 years)
+□ Risk analyses retained (6 years)
+□ BAAs retained (6 years)
+□ Incident/breach records retained (6 years)
+NOTES / GAPS IDENTIFIED:
+__________________________________________________________________
+__________________________________________________________________
+```