HIPAA Security Policy/Procedures question

[Guest basilb]

Hi - I was hoping to collect some thoughts on HIPAA security policies and procedures requirements. I've been looking for a good template to use for creating policies/procedures for our plan, but haven't really found one.

For a self-funded group health plan with a third-party administrator, what exactly are the requirements for establishing policies and procedures? Company employees do have some access to PHI. I've seen one approach is to say that since the plan does not have any of its own employees and does not own the equipment or media used to maintain/transmit ePHI, the risk analysis outcome is that the plan does not have control over most of the standards that HIPAA imposes, e.g., workforce security and information access management. The plan, being the only real "covered entity", then simply puts into place business associate agreements where necessary, appoints a security official, and ensures that the plan is properly amended for plan sponsor compliance. This approach then assumes that the plan sponsor only has the obligations imposed through the plan document, not including the establishment of policies and procedures.

Any thoughts about this approach? It seems like if this is correct, then most plans would not need to address most of the security standards set out in the regs - surely that can't be right. Am I missing something? And, can someone point me to a good template?