by Jay Hodes – President, Colington Consulting
Within the Code of Federal Regulation (CFR), there is a HIPAA requirement that calls for the implementation of reasonable and appropriate policies and procedures to comply with the standards, implementation specifications or other requirements of the code. This requirement is for Covered Entities and Business Associates. Often I see Business Associates who are not fully aware this requirement applies to them; however, they are held accountable just as any Covered Entity is.
Here are some frequently asked questions that I have received while developing policy and procedures for my clients.
What types of HIPAA policy and procedures must be in place?
Let’s start with what must be covered. As the CFR calls for, policy and procedures must cover all the implementation specifications, and there are over 50 of them. You cannot pick and choose which ones to address, even though some seem critically more important than others. They all must be addressed with policy and procedures.
How should a policy and procedures manual be structured?
There is not a regulatory requirement that states how a manual must be structured. As a best practice, I always group the sections by the administrative, technical and physical safeguard specifications for the manuals my company develops.
What should be covered in each section of the manual?
As a general rule you will want to include reference to the code that each section pertains to. For example, if looking at CFR § 164.530(e), that states the standard for a sanction policy, include the exact language of the code.
You may want to include a block addressing specific expectations about your enterprise, such as (even though it sounds obvious) that the enterprise is committed to meeting all compliance requirements and due diligence was applied in developing the policy and procedure.
Next, you will clearly want to lay out your enterprise’s policies for this requirement. It does not need to be a novel — make it somewhat concise. Using the sanction policy example, indicate exactly what the enterprise considers to be a violation. An example of a violation and consequence would be any workforce member who does not follow the proper safeguards to protect a patient’s health record and what the disciplinary actions can be.
Then, lastly, include the actual procedures. This is critically important and shows workforce members what specific actions should be taken. Using the sanction policy example again, show how the process unfolds, such as who in the enterprise is responsible for investigating if a HIPAA violation occurs and how to document it.
Can we develop our own policy and procedures manual?
You can, but it will be a time consuming process, especially if nobody in your enterprise has policy writing experience and the ability to decipher those pesky CFRs. This may be an area you consider outsourcing. It takes our policy team weeks to customize, edit and re-edit the manuals we provide to our clients. Our goal is to make sure the policies and procedures are reasonable and appropriate for that enterprise.