Share this article on:
The development, implementation, and enforcement of HIPAA policies and procedures is the cornerstone of HIPAA compliance. Without policies and procedures to provide guidelines, members of Covered Entities´ and Business Associates´ workforces will be unaware of how they should carry out their functions in compliance with HIPAA, how they should react when specific events occur, and what sanctions may apply for failing to comply with HIPAA.
The requirement to develop, implement, and enforce HIPAA policies and procedures appears in the very first standard of the Administrative Requirements of the Privacy Rule (45 CFR § 164.530). The standard states a Covered Entity must “designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.”
This standard not only applies to the development and implementation of Privacy Rule policies and procedures, but also to policies and procedures designed to comply with the Breach Notification Rule. The designated privacy official is also responsible for training members of the Covered Entity´s workforce on relevant policies and procedures, and for applying sanctions for noncompliance.
With regards to Security Rule policies and procedures, the requirements of the Administrative Safeguards (45 CFR § 164.308) are more comprehensive. Covered Entities and Business Associates are required to designate a security official who is responsible for developing and implementing HIPAA policies and procedures designed to prevent, detect, contain, and correct security violations.
Although the Administrative Safeguards of the Security Rule require general security and awareness training rather than specific policy and procedure training, security officials are instructed to “make documentation available to those persons responsible for implementing the procedures to which the documentation pertains”, review compliance, and apply sanctions for noncompliance.
There is No One-Size-Fits-All Policy Playbook
Despite there being thousands of Covered Entities and Business Associates, there is no one-size-fits-all template for developing HIPAA policies and procedures. This is because HIPAA accommodates different types of organizations and what might be appropriate for a large medical system is likely to impractical for a dental office, veterans´ health program, or technology provider.
Consequently, Covered Entities are required to conduct periodic HIPAA risk assessments to identify where threats exist to the confidentiality, integrity, and availability of PHI and develop, carry out risk analyses to identify gaps, and implement HIPAA policies and procedures to reduce risks and vulnerabilities to a reasonable and appropriate level.
To assist Covered Entities and Business Associates with the development of policies and procedures, the HHS´ Office for Civil Rights has released an interactive Security Risk Assessment Tool which guides users through a Security Rule assessment. However, this tool does not guarantee compliance with HIPAA as it does not cover Privacy Rule and Breach Notification assessments.
Privacy Rule and Breach Notification assessments will have to be conducted manually to comply with the Administrative Requirements of the Privacy Rule – i.e., “reasonably safeguard Protected Health Information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements of this subpart”.
You Cannot Avoid HIPAA Policies and Procedures
The failure to develop, implement, and enforce HIPAA policies and procedures can have significant consequences. Not only might a lack of guidelines lead to multiple HIPAA violations, the failure to develop, implement, and enforce HIPAA policies and procedures is itself a HIPAA violation for which HHS´ Office for Civil Rights has previously issued financial penalties.
It is also important any changes to policies and procedures are notified to everybody impacted by the changes. This may mean Notices of Privacy Practices need to be revised, members of the workforce need to undergo refresher training, or Business Associate Agreements need to be re-issued. All policy changes must be documented and maintained for a minimum of six years.
In addition to periodically reviewing and updating policies and procedures in response to environmental and organizational changes, Covered Entities and Business Associates must also keep policies and procedures up to date with state laws. Some state laws – such as Texas´ Medical Records Privacy Act – extend beyond state boundaries to any Covered Entity that collects, maintains, or processes the PHI of a Texas resident regardless of where the Covered Entity is located.
One further reason for keeping HIPAA policies and procedures up to date is that when new HIPAA regulations are published – as is forecast to happen later this year – it will be easier for Covered Entities and Business Associates to review and update existing policies and procedures. This not only mitigates the administrative overhead of HIPAA compliance but will also smooth the introduction of changes for patients, members of the workforce, and Business Associates.
HIPAA Policies and Procedures FAQs
Are Business Associates required to develop and implement Privacy Rule policies?
Although the Privacy Rule only applies to Covered Entities, Business Associates are advised to develop Privacy Rule policies for situations in which Privacy Rule standards apply. For example, there are circumstances in which a patient could approach a Business Associate directly with a request to access their PHI. Therefore, Business Associates should include such circumstances in their Security Rule risk assessments to ensure Privacy Rule policies exist when these circumstances occur.
What should Breach Notification policies and procedures include?
Breach notification policies and procedures should cover everything from the definition of a data breach to how affected individuals, the Office for Civil Rights, and the media will be notified. One of the most important policies in this area should be how members of the workforce notify a breach to their supervisors in order that the Covered Entity or Business Associate can mitigate the impact of the breach as quickly and as effectively as possible.
Is it possible to combine policy and procedure training with security and awareness training?
In some cases, it can be beneficial to combine Privacy Rule and Security Rule training – for example when discussing device and media controls required by the Physical Safeguards of the Security Rule. However, combining non-related areas of HIPAA can confuse trainees or result in information overload which can limit retention and result in unintentional violations. Therefore, it is a best practice to combine Privacy Rule and Security Rule training only when appropriate.
Can the privacy official and the security official be the same person?
HIPAA does not stipulate that the roles have to be assigned to different individuals, so it is possible for the privacy official and the security official to be the same person. However, it is more often the case in smaller organizations that the role of privacy official is assigned to an employee with an administrative position, while the role of security official is assigned to an employee in a senior IT position due to the complexity of some Security Rule implementation specifications.
What changes to HIPAA are forecast to happen this year?
Among the changes forecast to happen this year, individuals may be allowed to request a transfer of PHI to personal health apps or request that PHI maintained on an EHR is shared between Covered Entities, “good faith” uses and disclosures of PHI may be allowed beyond those permitted by the Privacy Rule, and there are proposals to create exceptions to the Minimum Necessary Standard. If they occur, these changes will have a significant impact on existing HIPAA policies and procedures.