Formulating a written set of HIPAA Policies & Procedures regarding Privacy, Security and Breach Notification is one of the main requirements for HIPAA compliance. And one of the first things HHS auditors will ask to see.
Notice that I didn’t say, “Having a written set of HIPAA Policies & Procedures is one of the main requirements,” but instead used the term “Formulating.” I did that for a reason. The word implies action, participation, involvement. And that’s precisely what’s needed when setting up your practice’s Policies and Procedures. But before we get to that, I’d like to first cover a few Policy and Procedure fundamentals.
What’s the difference between a policy and a procedure?
A policy spells out a practice’s values and the expected behaviors. It addresses the questions “What?” and “Why?” A procedure, on the other hand, details the action required to deliver on the practice’s stated values. It answers the questions “How?” “Where?” and “When?”
As an example, here’s how policies and procedures regarding Verification of Identity might be addressed in the P & P document a practice develops:
Verification of Identity. Our practice will not disclose patient information to persons who do not have the authority to access the information. (That’s the policy) If a person asks for information about a patient, and we do not know the person and/or we are not sure that the person has the authority to access the information they asked for, our Privacy Officer is responsible for verifying the person’s identity and authority to get the patient information they request. (That’s the procedure.)
Why does a practice need written Policies and Procedures?
I think it’s safe to say that most people who work in a healthcare office probably haven’t read the HIPAA regulations in their entirety — or even at all. At 500+ pages, the Health Insurance Portability and Accountability Act — authored by lawmakers — isn’t exactly a beach read.
Policies and Procedures are intended to make the requirements of the HIPAA law understandable to the staff. P and P’s translate HIPAA’s requirements and restrictions into language that’s clear and easy to put into practice.
What do Policies and Procedures cover?
A practice needs to have P & P’s for HIPAA’s requirements for Privacy, Security, and Breach Notification. Within those topics, there are many sub-topics, including such things as General Policies Regarding the Use and Disclosure of PHI, Business Associate Agreements, Release of Information to a Minor’s Parents, and Request to Amend a Patient Record — to name just a few.
What about using templates?
Some providers believe the solution to HIPAA’s Policies and Procedures requirement is to buy a bunch of templates, fill in all the blanks that say NAME OF YOUR PRACTICE HERE, put those pages in a binder, slide the binder on a shelf, and be done with it.
Templates can provide an acceptable starting point, but Policies and Procedures need to be specific to each practice. Ideally, the office’s Privacy Officer and key staff members should be involved in formulating how HIPAA-related matters get addressed. With each issue a template focuses on, the team needs to ask, “Does this really reflect the way we handle this issue here?” If it doesn’t, that section of the template needs to be modified accordingly.
If a practice merely fills in blanks without customizing the content, and if an auditor sees that the written P & P don’t match the way the practice actually does things, the practice, in addition to violating HIPAA, could also be subject to fines that govern Unfair Trade Practices!
Your practice’s go-to guide
Policies and Procedures aren’t meant to gather dust on a shelf. They should be shared with the entire staff, readily available to new hires, revisited often, and continually updated. A practice’s P and P’s play an essential role in the day-to-day functioning of a healthcare practice and its commitment to HIPAA compliance. The pages of that document should be dog-eared. Its place on the shelf, often empty. In other words, a practice’s Policies and Procedures should be as much a part of daily life in the office as small talk about the weekend.
To get started formulating your Policies and Procedures, talk with us. Click here to learn more.