HIPAA Policies and Procedures: Are You Compliant?
Aside from posting a Notice of Privacy Practices document and the patient sign-in sheet confusion, the one thing that stuck with providers in the early days of HIPAA was the policies and procedures manual. Everyone got a policy manual from somewhere and knew it had to be readily available to be compliant.
Sadly, many healthcare offices barely touch their HIPAA policies and procedures, which is a huge red flag, and falsely believe simply having a manual equates to compliance.
Regularly review your policies and procedures
While it's true everyone has a policies and procedures manual, only a small minority of offices properly maintain the manual. The HIPAA requires you to review (a.k.a. approve) your policies on a regular basis, which typically equates to annually, unless a significant change occurs, such as you moving locations or adopting electronic medical records.
You must have a record of all the review dates and should keep a copy of old versions if they differ from current policies.
Customize your policies
Copy and pasting your business name and address into someone else’s manual does not make it custom. While some policies and procedures can be generic across thousands of practices, there are others that absolutely must be custom to your practice alone.
For example, it's virtually impossible for two offices to have identical policies and procedure regarding emergency operations because their environments are not identical.
Policy topics to include
Your HIPAA policies and procedures must cover a wide range of topics, such as:
- Employee responsibilities
- Identification and authentication
- Malicious code
- Building security
- Wireless protocol
- Records retention and destruction
- Backup procedures
- Information systems activity review
- Staff training and sanction policy
- Emergency operations
- Breach notification
- Risk management
The HIPAA places a lot of weight on your policies and procedures because almost all other compliance activities stem from them. If you are seriously interested in compliance it's time to dust off your policy manual.
Note: You don’t have to keep a paper copy of your policy manual, it can be stored entirely in electronic form if you wish. Software can be a very useful tool to help you customize and maintain policies and procedures.
by Dr. Jeff Brown
Jeff Brown, DC, is CEO at HIPAAMATE and dedicated to making HIPAA compliance comfortable for small- and medium-sized healthcare practices and business associates. Dr. Brown’s career spans private practice, compliance consulting, and software product management for three healthcare technology companies.
DISCLAIMER: Because of the generality of this article, the information provided herein may not be applicable in every situation and should not be acted upon without specific legal advice based on particular situations.