Share this article on:
The development, implementation, and enforcement of HIPAA policies and procedures is the cornerstone of HIPAA compliance. Without policies and procedures to provide guidelines, members of Covered Entities’ and Business Associates’ workforces will be unaware of how they should carry out their functions in compliance with HIPAA, how they should react when specific events occur, and what sanctions may apply for failing to comply with HIPAA.
The requirement to develop, implement, and enforce HIPAA policies and procedures appears in the very first standard of the Administrative Requirements of the Privacy Rule (45 CFR § 164.530). The standard states a Covered Entity must “designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.”
This standard not only applies to the development and implementation of Privacy Rule policies and procedures, but also to policies and procedures designed to comply with the Breach Notification Rule. The designated privacy official is also responsible for training members of the Covered Entity’s workforce on relevant policies and procedures, and for applying sanctions for noncompliance.
With regards to Security Rule policies and procedures, the requirements of the Administrative Safeguards (45 CFR § 164.308) are more comprehensive. Covered Entities and Business Associates are required to designate a security official who is responsible for developing and implementing HIPAA policies and procedures designed to prevent, detect, contain, and correct security violations.
Although the Administrative Safeguards of the Security Rule require general security and awareness training rather than specific policy and procedure training, security officials are instructed to “make documentation available to those persons responsible for implementing the procedures to which the documentation pertains”, review compliance, and apply sanctions for non-compliance.
There is No One-Size-Fits-All Policy Playbook
Despite there being thousands of Covered Entities and Business Associates, there is no one-size-fits-all template for developing HIPAA policies and procedures. This is because HIPAA accommodates different types of organizations and what might be appropriate for a large medical system is likely to be impractical for a dental office, veterans’ health program, or technology provider.
Consequently, Covered Entities are required to conduct periodic HIPAA risk assessments to identify where threats exist to the confidentiality, integrity, and availability of PHI and develop, carry out risk analyzes to identify gaps, and implement HIPAA policies and procedures to reduce risks and vulnerabilities a reasonable and appropriate level.
To assist Covered Entities and Business Associates with the development of policies and procedures, the HHS’ Office for Civil Rights has released an interactive Security Risk Assessment Tool which guides users through a Security Rule assessment. However, this tool does not guarantee compliance with HIPAA as it does not cover Privacy Rule and Breach Notification assessments.
Privacy Rule and Breach Notification assessments will have to be conducted manually to comply with the Administrative Requirements of the Privacy Rule – ie, “reasonably safeguarded Health Information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements of this subpart”.
You Cannot Avoid HIPAA Policies and Procedures
The failure to develop, implement, and enforce HIPAA policies and procedures can have significant consequences. Not only might a lack of guidelines lead to multiple HIPAA violations, the failure to develop, implement, and enforce HIPAA policies and procedures is itself a HIPAA violation for which HHS’ Office for Civil Rights has previously issued financial penalties.
It is also important any changes to policies and procedures are notified to everybody impacted by the changes. This may mean Notices of Privacy Practices need to be revised, members of the workforce need to undergo refresher training, or Business Associate Agreements need to be re-issued. All policy changes must be documented and maintained for a minimum of six years.
In addition to periodically reviewing and updating policies and procedures in response to environmental and organizational changes, Covered Entities and Business Associates must also keep policies and procedures up to date with state laws. Some state laws – such as Texas’ Medical Records Privacy Act – extend beyond state boundaries to any Covered Entity that collects, maintains, or processes the PHI of a Texas resident regardless of where the Covered Entity is located.
One further reason for keeping HIPAA policies and procedures up to date is that when new HIPAA regulations are published – as is forecast to happen later this year – it will be easier for Covered Entities and Business Associates to review and update existing policies and procedures. This not only mitigates the administrative overhead of HIPAA compliance but will also smooth the introduction of changes for patients, members of the workforce, and business associates.