What Are HIPAA Policies and Procedures?
How are your employees expected to follow HIPAA standards when you don’t have a set of guidelines in place? Having written HIPAA policies and procedures is an important part of HIPAA compliance as they provide your organization and employees with a reference point for what is and is not appropriate in regards to protected health information. HIPAA policies provide general guidelines for how to meet HIPAA requirements, while HIPAA procedures provide a specific action that is appropriate for handling a situation.
HIPAA Privacy Policies and Procedures for Healthcare Providers
The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirements of the Health Insurance Portability and Accountability Act of 1996 (What is HIPAA?).
The Privacy Rule set forth standards for the privacy of certain health information, referred to as protected health information (PHI). PHI is any “Individually Identifiable Health Information” related to the past, present, or future provision of healthcare.
The Privacy Rule addresses privacy of PHI in several ways, including:
-  Dictating the proper use and disclosure of individuals’ PHI. Â
- Creating standards that outline an individual’s rights in regards to their PHI
- Requiring covered entities to provide patients with a Notice of Privacy Practices so that they understand how their health information is used Â
HHS and the Office for Civil Rights (OCR) have the responsibility of implementing and enforcing the Privacy Rule with respect to compliance activities and civil money penalties. The Privacy Rule assures that an individuals’ health information is properly protected while allowing the individuals’ necessary health information to be provided to promote quality healthcare. As such, the Privacy Rule permits important uses of information, while protecting the privacy of people who seek healthcare.
The HIPAA Privacy Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. Covered entities regulated by the HIPAA Privacy Rule are required to comply with all of its applicable requirements.
The Privacy Rule applies to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in any form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
HIPAA policies for privacy provide guidance to employees on the proper uses and disclosures of PHI, while HIPAA procedures provide employees with specific actions they may take to appropriately use and disclose PHI. For instance, a HIPAA privacy policy for adhering to the HIPAA minimum necessary standard may state: “When using or disclosing PHI, organization shall make reasonable efforts to limit PHI uses, disclosures, and requests disclosed to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” The HIPAA procedure applicable to this policy may state: “Organization will identify the classes of persons or job titles within the organization’s workforce who need access to PHI to carry out their job duties and responsibilities described in organization’s job descriptions.”
Protected Health Information
The Privacy Rule protects all 18 fields of “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information protected health information (PHI). Individually identifiable health information is information including demographic data that relates to such personal information, such as name, address, birth date, Social Security Number, address, past medical history, etc. This type of information must be protected.
HIPAA Security Policies and Procedures
The Security Rule requires healthcare organizations to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.
The Security Rule defines:Â
- Confidentiality to mean that ePHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. Â
- Integrity to mean that ePHI is not altered or destroyed in an unauthorized manner.Â
- Availability to mean that ePHI is accessible and usable on demand by an authorized person.
HHS recognizes that healthcare organizations range from the smallest provider to the largest, so the Security Rule is flexible and scalable to allow businesses to analyze their own needs for compliance policies and procedures, and implement solutions appropriate for their specific environments.
When a healthcare organization is deciding which security measures to use, the Rule does not dictate those measures but requires them to consider:
- Its size, complexity, and capabilities;
- Its technical, hardware, and software infrastructure;
- The costs of security measures; and
- The likelihood and possible impact of potential risks to ePHI.
Healthcare organizations must review and modify their security policies to continue protecting ePHI in their ever changing environment.
Risk Analysis and Management
The Administrative Safeguards provisions in the Security Rule require healthcare organizations to perform a security risk analysis as part of their security management processes. The risk analysis and management provisions of the Security Rule are addressed separately here because, helping to determine which security measures are reasonable and appropriate for a particular organization affects the implementation of all of the safeguards contained in the Security Rule.
A risk analysis process includes, but is not limited to, the following activities:
- Evaluating the likelihood and impact of potential risks to ePHI;
- Implementing appropriate security measures to address the risks identified in the risk analysis;
- Documenting the chosen security measures and, where required, the rationale for adopting those measures; and
- Maintaining continuous, reasonable, and appropriate security protections.Â
HIPAA Risk analysis should be an ongoing process, in which an organization regularly reviews its records to track access to ePHI and detect security incidents; periodically evaluate the effectiveness of security measures put in place; and regularly reevaluate potential risks to ePHI.
Administrative Safeguards
- Security Management Process. An organization must identify and analyze potential risks to ePHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.
- Security Personnel. An organization must designate a security official who is responsible for developing and implementing its security policies and procedures.Â
- Information Access Management. The Security Rule requires an organization to implement policies and procedures for authorizing access to ePHI only when such access is appropriate based on the user or recipient’s role (role-based access).
- Workforce Training and Management. An organization must provide for appropriate authorization and supervision of workforce members who work with ePHI. The organization must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
- Evaluation. An organization must perform a periodic assessment of how well its security policies and procedures meet the requirements of the Security Rule.
Physical Safeguards
- Facility Access and Control. An organization must limit physical access to its facilities while ensuring that authorized access is allowed.
- Workstation and Device Security. An organization also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (ePHI).
Technical Safeguards
- Access Control. An organization must implement technical HIPAA policies and procedures that allow only authorized persons to access electronic protected health information (ePHI).
- Audit Controls. An organization must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.
- Integrity Controls. An organization must implement HIPAA policies and procedures to ensure that ePHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that ePHI has not been improperly altered or destroyed.
- Transmission Security. An organization must implement technical security measures that guard against unauthorized access to ePHI that is being transmitted over an electronic network.
HIPAA policies for security provide guidelines for securing PHI, while HIPAA procedures for security provide specific measures that must be implemented to provide that security. For instance, a HIPAA security policy for user authentication may include: “Information systems used to access ePHI shall uniquely identify and authenticate workforce members through the use of strong passwords.” While a HIPAA procedure for this policy may include: “System administrators shall provide the password for a new unique user ID to only the user whom the new ID is assigned.”
HIPAA Policies and Procedures for Business Associates
A business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing. Business associate services to a covered entity are limited to legal, actuarial, accounting, consultant, data aggregation, management, administrative, accreditation, or financial services.Â
HIPAA policies and procedures for business associates are similar to that of covered entities. The main difference is that, since business associates are not involved with treatment, payment, or healthcare operations, they only need limited privacy policies and procedures.Â
Organizational Requirements
Who needs a Business Associate Agreement? All entities a covered entity shares ePHI with shall have a Business Associate Contract that outlines how the Business Associate will handle and protect the data they receive.Â
HIPAA Policies and Procedures and Documentation Requirements
Healthcare organizations must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. The organization must maintain, until six years after the later of the date of their creation or last effective date, written security policies and procedures and written records of required actions, activities or assessments.
The organization must also periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (ePHI).
Ensure You Are Compliant
Implementing effective HIPAA policies and procedures may seem like a lot of work, and you’re not wrong. Since HIPAA policies and procedures must be drafted to apply to an organization’s specific business operations, there is a lot to consider to ensure that your policies and procedures meet HIPAA standards. This is why Compliancy Group pairs our HIPAA software with a dedicated Compliance Coach to help you take on this complex task. By working with Compliancy Group, you don’t have to stress that your HIPAA policies and procedures are lacking. We help you to create custom policies and procedures that meet HIPAA standards, and apply specifically to your business. Find out how we can help you get compliant efficiently and effectively!
