Every organization that is subject to HIPAA must have documented policies and procedures in place. In fact, so many organizations are unaware of this requirement that “lack of policies and procedures” is one of the key findings in the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) resolution agreements.
Mandatory requirements aside, policies and procedures are the backbone of any successful information risk management program. When drafting your policies and procedures (see our handy toolkits here), always keep in mind the following points:
- Why do these policies and procedures exist?
- Who is covered?
- What is covered?
- What’s required or prohibited?
- Who enforces?
- What happens if I don’t comply?
This resource will serve as a simplified guide for understanding HIPAA polices and procedures.
Your Guide to HIPAA Policies and Procedures
This is not an official, exhaustive HIPAA policies and procedures guide. It is intended to provide some basic information for those completely new to the topic. If you need a more detailed explanation of various rules and issues, contact one of our experts today.
Policies and Procedures Are Mandatory
You first need to know that HIPAA policies and procedures are not optional. If you are a covered entity (CE) or business associate (BA), you must introduce measures that comply with HIPAA. This requirement is clearly spelled out in the law, and ignorance of the law is not an excuse. Small CEs and BAs must comply with HIPAA, just as large CEs and BAs do, although there is some flexibility as to what’s “reasonable and appropriate” for your environment.
Remember that documentation of policies and procedures is always asked for by OCR in the case of an audit, investigation, and/or breach report!
The onus is on you to implement compliance measures as soon as you encounter a single piece of protected health information (PHI). It’s as simple as that.
Fines For Not Having Policies and Procedures are Steep!
Depending on the violation and frequency of the violation, businesses can be fined between $100 and $50,000 for all violations of an identical requirement or prohibition occurring within the same calendar year. A quick review of OCR’s recent enforcement actions shows that HIPAA compliance is no longer taking a backseat to other compliance initiatives.
The 3 Types of HIPAA Policies and Procedures
HIPAA contains three “pillars” of compliance: the HIPAA Privacy Rule, the HIPPA Security Rule, and the Breach Notification Rule. As an organization that comes into contact with protected health information, you need to have policies and procedures in place that speak to the requirements of these rules.
Privacy Policies and Procedures
The HIPAA Privacy Rule requires organizations to implement safeguards to protect patient privacy and gives patients certain rights regarding their health information.
Organizations must develop policies and procedures to satisfy their obligations under HIPAA. You’re required to document, maintain, and enforce very specific polices that protect the privacy of protected health information and ensure that patient rights are upheld.
Despite the need and call for policies and procedures, however, a massive gap still remains in the healthcare industry. Many organizations are failing to create, implement, and effectively enforce policies that may ultimately result in civil monetary penalties from OCR and, more importantly, patient harm.
- pertinent definitions
- your organization’s responsibilities under the law
- information regarding proper/improper use of PHI
- detailed steps on how your workforce members are to carry out an organization’s responsibilities
- individual rights
- sanctions for noncompliance
Security Policies and Procedures
The Security Rule requires that CEs and BAs implement certain administrative, physical, and technical safeguards to ensure the integrity, confidentiality, and availability (CIA) of electronic PHI. As such, security policies and procedures that address each “requirement” and “implementation specification” of the HIPAA Security Rule are required.
Successful security policies and procedures inform workforce members as to how to protect an organization’s infrastructure and sensitive information.
Your HIPAA security policies and procedures must include the elements that will successfully convey those responsibilities. Consider the following point: “If a team member won the lottery and quit today, would my other team members be able to do his/her job?” Remember that your policies and procedures (Privacy, Security, and Breach) act as a key training item.
Breach Notification Policies and Procedures
The HIPAA Breach Notification Rule requires CEs and BAs to provide notification following a breach of unsecured PHI. If a breach occurs, CEs and BAs must follow certain steps to comply with HIPAA, including having policies and procedures in place that deal with such items as notification to affected individuals, media notice, and notification to the Secretary of HHS.
You do not want to wait until you have a breach to think about breach policies and procedures. These will be your organization’s lifeline in determining if a breach has actually occurred and the steps you must take to comply.
HIPAA breach policies and procedures include the following items:
- the definition of breach vs. incident
- breach risk assessment framework
- criteria for deciding if the breach meets any exceptions
- responsible parties
- contractual requirements, with both federal and state law considered
Despite the importance of having proper documentation, most covered entities and business associates do not have comprehensive or accurate HIPAA policies and procedures in place. Do you?