Without a doubt, your organization’s HIPAA Policies and Procedures are the “nuts and bolts” that keep your HIPAA Compliance Program on track and the basis for protecting you against costly HIPAA penalties. But taking the time to define your organization’s Policies and Procedures requires forethought on how to respond appropriately to all of HIPAA’s requirements. That’s because your Policies and Procedures cover such a broad range of topics – including Access Control, Security Measures, Emergency Access, Integrity Controls, Risk Management, Breach Management, and Workforce Security – and not one of these can afford to be overlooked. However, once prepared, they provide your staff with a set of explicit guidelines to follow in order to limit the possibility of a breach occurring.
To give you a basic breakdown on how to approach your HIPAA Policies and Procedures, there are a few important standards to follow. First of all, they must be documented. This step is essential in making sure that you’ve addressed each of the necessary mandates found within the sections of HIPAA – such as the Privacy Rule, Security Rule, HITECH Act, Omnibus Final Rule, and Breach Notification Process – and to be careful that no aspect of the HIPAA guidelines are missed. To explain the difference between the two elements – Policies versus Procedures, your Policies are made up of a brief description of the rules your organization has defined to meet HIPAA requirements. These Policies are then supported by separate written Procedures, describing the steps your organization will take to comply with those Policies. While your Policies will seldom need to be adjusted, you must keep a close eye on your Procedures to make sure they remain sufficient to meet HIPAA requirements and to make adjustments whenever something significant occurs.
Your Policies and Procedures are more than just documents – in order to work, they actually have to become a part of your company culture.
Here are 5 things you can do to make your Policies and Procedures a part of your culture:
- Develop checkpoints throughout the year and assign responsibility to key individuals within your facility to maintain adherence among your entire staff.
- Provide documentation of how the Policies and Procedures are being enforced; like pages from your Visitor Log Book or Server Room Sign-in Sheet.
- Review established checkpoints on a monthly and quarterly basis for accountability.
- Look for updates throughout the year with HIPAA regulations and adjust your Policies and Procedures accordingly.
- Review your Policies and Procedures every year for any needed changes and take into account any new staff or staff that are no longer employed.
Keep in mind that your HIPAA Policies and Procedures are also what sets and defines your facility’s stance on security, proactive measures, periodic checkpoints for review, and disciplinary actions when needed. In addition, they define your facility’s responsibilities and obligations around protecting ePHI and outline the expectations for your staff in terms of meeting HIPAA Compliance regulations.
Lastly, making sure your staff abides by your HIPAA Policies and Procedures on a daily basis is now more critical than ever, as the Office of Civil Rights (OCR) has expanded their annual compliance enforcement audit program. The OCR has ramped up the search to find Covered Entities and Business Associates without the appropriate HIPAA Policies and Procedures in place, which could leave your facility at risk.
Simply having your Policies and Procedures on a piece of paper, stashed away in a filing cabinet is no longer enough. You need to bring your Policies and Procedures to life in order to fully protect your facility. To learn more about getting access to our templates for HIPAA Policies and Procedures, along with our HIPAA Compliance Services pertaining to IT, feel free to give us a call at (919) 929-3080 x 241.