How to Upload Business Associate Agreements/Vendor Confidentiality Agreements to a Vendor Profile
Scroll toward the bottom of that screen so you can see the vendor you wish to add the agreement for. Click on their name beneath ‘Modify/View a Vendor’ so their name highlights black. Then, click ‘View Selected Item’ to the bottom-left in order to bring their information to the top of the screen.
With that Vendor’s profile now loaded beneath ‘Vendor Details,’ click the tab labeled ‘Contracts’ found mid-screen and select ‘Upload New Document.’
A yellow window will now appear. Within this yellow window you will click ‘Choose File’ to find where the document is on your computer. The ‘Enactment Date’ would be the day the agreement was signed off on and the ‘Review Date’ would be one year after that ‘Enactment Date.’ Leave the box which asks if you’d like this to be readable by all users blank. You do not want this readable by all users. Finally, within the ‘Description’ field you will enter a pre-fix of BA ahead of the Organization name for a Business Associate Agreement, and the name of the individual enter your Facility for a ‘regular’ Vendor who has returned a Confidentiality Agreement.
How to build the Framework for your Remediation Plans
In order to fix these deficiencies we will need to develop remediation plans along with you. To start, you will only be setting up the skeleton for the plan which will fix each gap found. In order to set up the framework for this remediation plan, you will want to hover over ‘Auditing’ and select ‘Remediation Plans’ from the drop down which shows.
Within the Gaps tab you will need to avoid clicking the ‘All>>’ key. The reason is that the Government wants to see that you are addressing each and every Gap with it’s own plan. Instead of clicking ‘All>>,’ utilize the ‘Sel >’ key after highlighting the top-most gap found beneath ‘Unassociated/Open Gap Items’ This will move the Gap from the ‘Unassociated/Open Gap Items’ field to the ‘Associated Gap Items’ field.
You will find that toward the top of the screen, next to ‘Remediation Plan Title,’ the name for that plan auto-populates to spare you from having to type that in.
Type in the Full Name of the person who it will be ‘Assigned To’ and then insert their e-mail address. The ‘Start Date’ and ‘End Date’ were both dates discussed along with you via your Compliance Coach. Please contact your Coach if you need a refresh on which dates to utilize. Now, avoid clicking ‘Mark Complete/Gaps Resolved,’ and instead click ‘Save Remediation Plan’ to your left-hand side. The framework for this plan has now been built.
Keep following this exact same process, moving gaps over one at a time, until all of them have been saved to a remediation plan and no more show beneath the ‘Unassigned/Open Gap Items’ field.
How to Change Policy Templates within The Guard so that they are Unique to your Organization
The first thing you will work on in relation to policy is policy creation. Your Coach will begin the policy creation portion process by emailing you all 17 Security Documents (along with our Policy Review Notes and Tips sheet). If you are a Business Associate, you will also receive a few privacy policies which require your attention (numbers 21, 22, and 24).
After receipt of the policies, you will want to minimize your browser in order to build two new folders on your desktop –
As shown above, be sure to title one folder Security and the other folder Privacy.
Now, download the policies from your email into their respective folders on the desktop.
After the policies are on your computer, there is a bit of administrative work to do on each policy. Read on for further instruction –
You will notice this table atop each and every policy. Once you fill it in one time on one policy, please feel free to copy/paste your way through the remainder of the documents.
For ‘Logo or Company Name’, please feel free to enter in your organization’s logo. If you do not have a logo, please type in your organization’s name. Not a big deal if you are lacking a logo. Utilizing type in this instance is absolutely fine.
For ‘Company Name’ please type in your organization’s name so that it is clear as day. Sometimes logos are not telling enough. That’s why we ask you to re-iterate the Company name.
The ‘Effective Date’ should be about six weeks forward from today’s date, rounded to the first, fifteenth or last day of the following month.
‘Responsible for Review’ would be yourself.
The ‘Review Date’ is one year following the ‘Effective Date’. Read on for more instructions about the necessary administrative work –
You will notice the policies have the above bracketed [ORGANIZATION] through out. We don’t want for this to reflect on the entirety of the document. We also don’t want for you to add in your organization’s name each and every time this appears. Instead, we will perform a ‘Find and Replace’ to change these fields to your Company name in one fell swoop.
To perform a ‘Find and Replace’ on a PC/Windows computer, first highlight and copy the text of Organization. Now, you can press the button at the very, very bottom-left of your keyboard (CTRL) at the same time as when you press the letter F. A window will appear with a field labeled ‘Find’. Right click to paste in Organization and MS Word will now seek out each instance of Organization formatted in this fashion. Upon locating each instance, we now want to utilize the field marked ‘Replace’. Type in your Organization’s name here and hit ‘Replace All’. You have now completed your ‘Find and Replace’!
Note – If you are on a Mac computer, it is the same steps, except you will press the ‘Command’ key at the same time as the F key.
After performing your ‘Find and Replace’ you will want to scroll past all content within the policy. This ‘Authorized By’ field is found at the very bottom of each policy document. Simply type in the full name and job title for the individual who authorizes policies and procedures throughout your Organization. This may come down to an internal conversation for you. There is no need to print this document and physically sign. Type is absolutely fine in this instance as well.
This is a bit of a silly thing to say, but please be sure to hit the save button (as seen above) after completing your administrative work for any given policy so you don’t lose your work.
At this point, just leave the document inside of it’s respective Security/Privacy folder on your desktop. DO NOT UPLOAD THESE TEMPLATES TO THE GUARD YET. WE WILL TELL YOU WHEN TO DO SO.
Get ready to switch gears now –
Above you will notice the first page of your ‘Policy Review Notes and Tips sheet’. You will want to begin your reading of this tips sheet on page four. This is the beginning of the discussion on Security and runs through page seventeen. If you are a Business Associate, please be sure to also review page 23.
Nope, not quite. That is part one. Part two comes along with what we call the ‘Deep Dive’.
The ‘Deep Dive’ is the actual reading of the policies. However, we ask that you approach this in a certain manner.
You will first want to line up the tips sheet directly next to the policy which you are reviewing. This is to afford you the opportunity to use the tips sheet as more of a reference guide, instead of where you are pulling your knowledge from. Now, begin your reading of the policy. It’s only natural that questions, concerns and inquiries will stem from your reading. When you are left puzzled, that is when you want to refer to the tips sheet. It will have approximately 80% of the answers you’re looking for. However, we use 80% very purposefully. That is because there will be outliers. There will be the 20% of questions that you have that are just better than the FAQs which made up the tip sheet in the first place. Obviously we want to address those questions for you as well. In order to do so, please jot your question down on a plain old piece of paper with a pen. Indicate alongside your question whether it was an S for a security question, a P for a privacy question and the number of the policy which your question came from. This gives us a general idea of what your mindset was upon posing the question, allows us to see which policy was the catalyst for the question and ultimately allows us to provide you an expeditious reply.
Note – Just to clarify; Business Associates complete all of Security and 3 Privacy policies. Covered Entities will complete all of Security and Privacy respectively.
For Covered Entities – You will first be sent all of the security documents and the tips sheet. The idea is to break it up, so you are not addressing ALL the policies at one time. After completion of the administrative work on the Security policies, the expectation is that (when you reach your next meeting) you will jump into the Deep Dive there. As you move into the Security Deep Dive, your Coach will send you your Privacy policies. This will allow you the opportunity to perform your necessary Security reading at the same time as when you address the basic elements of Privacy. We’re going to just keep rolling the work on over until all policies have been read.
Are we There Yet?
You are almost at the summit but not just yet. After reading the policies, all your questions are addressed and everyone is satisfied with the outcome you will post your finalized policies back into the Guard. Read on for further instructions on uploading finalized policies –
As seen above, you will want to navigate to the Document Repository (Tracking, then Documents) to post your policies back into the system. From here, think of anything which is below the mid-line as done, finito, complete. That’s how you can remember which folder to upload towards and avoid overwriting any templates.
First, click on the folder you wish to upload towards (either Security, or Privacy). It will turn green and pop open. From the spot where it turned green, please look down about 1-2 inches for a button labeled ‘Upload’.
As soon as you hit Upload, a yellow dialog box will show. This is how you pull the file off your computer. First, select Choose File to do so.
The Enactment Date is the same as the Effective Date your Coach originally advised you on. Simply pop open a policy, and list in the yellow window which ever date you see as the Effective Date under Enactment Date. The Review Date is one year following the Enactment Date. Please be sure to check the box which states ‘Check if you Want this Document Readable by all Users’. We may have been avoiding it previously but now it is time to put it to use!
Your yellow window should reflect the same as what you see above.
Now, very last, be sure to hit Upload Document. The yellow window will disappear and your policy will be present in the Guard under Document Name.
Here’s what to have prepared for your next meeting
Please be sure to have any questions you’d like addressed laid out as explained above.
Please be sure to have uploaded all BAA’s/Vendor CA’s as explained above.
Please be sure to have built the framework for all your remediation plans/gaps.