Road to HIPAA Compliance: Policies and Procedures

by KirkpatrickPrice / April 27th, 2016

How Policies and Procedures Can Help You Ace an OCR Audit

This webinar gives insight into the purpose and the concepts of effective policies and procedures and what the Office for Civil Rights (OCR) is looking at when evaluating policies and procedures. Updated, well-documented and implemented policies and procedures are the basics of any regulatory compliance program. Outdated policies and procedures are the most common gap that we see when working with clients. We like to say, “If it’s not written down, it isn’t happening.” So, what should your organization be reviewing?

Review the Difference Between a Policy and a Procedure: A policy is a statement of management intent; in this case, a statement to comply with a specific HIPAA requirement. Policies answer: What? Why? A procedure is a process to fulfill management intent. Procedures answer: How? When? Where?

Review the Lifespan of a Policy or Procedure: When creating new policies and procedures or amending the existing, there should be a process for checking for conflicts with existing documents, checking for legal requirements, and ensuring the document discusses all necessary topics. A formal review process is also necessary to keep all policies and procedures up-to-date; policies and procedures should be reviewed at least annually.

Review Privacy Rule Policies: This review should include defining a record set, accounting for when a patient’s protected health information (PHI) is disclosed, evaluating the content and process of Notice of Privacy Practices, considering what to do when a patient brings their own Authorizations for Disclosure form, processing confidential communications, fees for records, how to deal with record retention, and workers’ compensation claims.

Review Security Rule Policies: These policies should include a required risk analysis and how to maintain reasonable and appropriate physical, technical, and administrative safeguards.

Review the Breach Notification Rule: This review should include internal notification, incident response plans, and mitigation.

Review Business Associate Compliance Management: This review should include Business Associate Agreements, current statuses of relationships, the auditing and monitoring of business associates, corrective actions, and termination of business associates.

Review the Internal Auditing Procedure: This procedure should identify risks, conduct a baseline assessment, plan for ongoing auditing, and plan corrective action plans.

To learn more about how to write effective policies and procedures, check out our Style Guide to Creating Good Policies and our Style Guide to Writing Good Procedures.