Many off-the-shelf HIPAA compliance handbooks have a lot in common with do-it-yourself furniture. You’re promised HIPAA compliance, a lower price, and “easy-to-follow instructions.” But you’re likely to get frustration, missing parts, and something that could do more harm than good.
Do-it-Yourself HIPAA Compliance Handbook: Who Does One Size Fit?
Do-it-yourself compliance with a fill-in-the-blank HIPAA compliance handbook sounds inviting. Often, they promise complete policies, procedures, and business associate agreements that simply need you to add your organization’s name.
What’s the problem with that approach? HIPAA was written to apply to everyone who creates, possesses, or processes protected health information (PHI). The Mayo Clinic and a rural dental office in Alaska are both expected to fulfill every one of HIPAA’s rules and regulations.
As you might imagine, the process for becoming HIPAA compliant would look very different for each entity. To be effective, an organization’s policies and procedures must reflect the unique characteristics of that organization.
Now think about two pediatric clinics in the same town with the same number and makeup of staffing, patients, and vendors. With so many similarities, there are still likely to be differences in how their clinics operate. Perhaps, one allows clerical employees to work from home. The other offers patient visit summaries via text message. The policies and procedures of each clinic must account for those key differences. If they don’t, neither clinic would be HIPAA compliant.