Aside from posting a Notice of Privacy Practices (NOPP) document and the patient sign-in sheet confusion, the one thing that stuck with providers in the early days of HIPAA compliance was the policy manual. Everyone got a manual from somewhere and knew it had to be readily available. Sadly, many small healthcare offices barely touch their manual, which is a huge HIPAA red flag, and falsely believe simply having a manual equates to compliance.
Regularly review policies
While it's true everyone has a policies and procedures manual, only a small minority of offices properly maintain the manual. The HIPAA requires you to review (a.k.a. approve) your policies on a regular basis, which typically equates to annually, unless a significant change occurs, such as you moving locations or adopting electronic medical records. You must have a record of all the review dates and should keep a copy of previous versions if they differ from current policies.
Customize your policies
Copy and pasting your business name and address into someone else’s manual does not make it custom. While some policies can be generic across thousands of practices, there are others that absolutely must be custom to your practice alone.
Policy topics to include
Your HIPAA policies and procedures must cover a wide range of topics, such as:
- Employee responsibilities
- Identification and authentication
- Malicious Code
- Building security
- Telecommuting (if permitted by your office)
- Wireless protocol
- Records retention and destruction
- Backup procedures
- Information systems activity review
- Staff training and sanctions policy
- Emergency operations
- Breach notification
- Risk management
The HIPAA places a lot of weight on your policies and procedures because almost all other compliance activities stem from them. If you are seriously interested in compliance it's time to dust off your policy manual.
Note: You don’t have to keep a paper copy of your policy manual, it can be stored entirely in electronic form. Software can be a very useful tool to help you customize and maintain policies and procedures.