Developing Policies and Procedures

in Health Care

Healthcare providers and healthcare practices are subject to regulations at the local, state, and federal levels. These regulations are often written in a manner that confuses the average lawyer. Since healthcare regulations frequently apply to members of a healthcare provider’s workforce, all employees of a covered entity must be able to understand what various regulations require of them. Creating written policies and procedures that describe what employees must do with respect to regulations, and how they must do it, can minimize the confusion that reading the regulations brings. The process of developing policies and procedures in health care is discussed below.

Developing Policies and Procedures in Health Care: Policy Creation

Understanding the importance of developing policies and procedures in health care requires an understanding of the difference between the concepts of “policies” and “procedures.” Policies are a series of statements that describe an overall goal. Procedures are the step-by-step instructions that must be followed for the goal to be accomplished.

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

For example, a HIPAA covered healthcare provider must, per the HIPAA Privacy Rule, grant individuals access to their protected health information. The goal of providing access to PHI is a laudable one (failing to provide access can also subject you to monetary penalties). Telling your workforce, “We have a policy of providing access to PHI,” though, imparts very little information. Questions immediately arise. “What kind of PHI?” “How quickly must it be provided?” “In what form?” “Can we charge for it?” “Are there situations where we have to tell a patient that we cannot honor their request for access? What are those situations?”

The answers to these questions can be found in the HIPAA regulations. The regulations set the ground rules for PHI access: The PHI that must be provided must be contained in a designated record set; there is a time frame for responding to PHI access requests; and in some instances, a provider can charge for copies of PHI. These details are the building blocks for creating procedures.

Developing Policies and Procedures in Health Care: Procedure Creation

Say your organization wants to create a procedure for responding to requests for individual access to PHI. The most important concern in creating this procedure is a basic one: when does access have to be provided? The HIPAA Privacy Rule provides that individual patients may access and obtain copies of their PHI that are contained in a designated record set, for as long as they are maintained there. A procedure that puts all of this into plain English must cover the following:

◈ What employees/job titles are authorized to respond to PHI access requests? 

◈ Is the request being made actually a request for PHI? 

◈ Is that PHI maintained in a designated record set? (A designated record set is a group of records maintained by or for a covered entity that may include patient medical and billing records; the enrollment, payment, claims, adjudication, and cases or medical management record systems maintained by or for a health plan; or information used in whole or in part to make care-related decisions).

◈ Is there an exception to the requirement that access to the request for PHI must be granted? (For example, a request for access to psychotherapy notes may be denied).

◈ By when must there be a response to the request?

◈ How must an employee document a request for PHI access? 

The answers to this question constitute the procedure, which reads as follows:

“Administrative staff that have received training on the HIPAA Privacy Rule are authorized to respond to requests for access to PHI. The staff member must determine whether the request is for protected health information contained in designated record sets. If the information is PHI contained in designated record sets, the staff member must then determine whether the request must be approved, or denied. Requests must be acted on no later than 30 days after receipt of the request. Denials of requests must be in writing, and the basis for the denial must be stated. Whenever a request is received, either by mail or electronically, the responding staff member must record the details of the request, including the requesting person’s name, address, the designated record sets that are subject to access, and the title of the person receiving and processing the request. Any staff member that has questions about any aspect of these procedures should consult his or her supervisor.”

Developing policies and procedures in health care enables a healthcare provider to efficiently meet its regulatory obligations. Developing policies and procedures in health care, and training employees on these policies and procedures, also allows a healthcare organization to document its good-faith effort toward achieving HIPAA compliance.