If You Don’t Update Your HIPAA Policies And Procedures Today, You’ll Hate Yourself Later.

When you think of HIPAA practices in your organization, the following statements may cross your mind:

"We have a process for that, it is just not documented”

“We are good at protecting our patient’s privacy, we don’t need a written compliance manual”

“We did some items that would qualify to meet those requirements, but we didn’t know we had to document”

“We have a high level of HIPAA compliance, but just don’t have documented policies and procedures”

While all these statements may be true, HIPAA requires documentation and proof that you are complying with the regulations. Documentation and proof of compliance are established through the creation and implementation of required HIPAA policies and procedures. In both the HIPAA Privacy Rule and the HIPAA Security rule, regulations exist that require organizations to implement written policies and procedures to comply with the regulations.

• Privacy Rule Documentation – 164.530(i) – A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
• Security Rule Documentation – 164.316(b)(1) – Maintain the policies and procedures implemented to comply with the regulations in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment
• Breach Notification Rule Documentation – 164.414 – A covered entity must comply with the administrative requirements as defined under the HIPAA rule documentation, including the establishment of policies and procedures.

Written policies and procedures are created to establish a foundation on how an organization is protecting patient information, providing rights over protected health information to their patients, and establishing appropriate safeguards to protect information in all media types. Policies and procedures should be shared with all workforce members to demonstrate knowledge and understanding of privacy and security practices. Training should be provided on not only the HIPAA regulations but also the specific policies and procedures that the organization established.

Unsure of what policies and procedures should be created for HIPAA Privacy and Security – don’t be worried! Planet HIPAA has created a FREE list of policies and procedures from the regulations. Make sure to grab your checklist and make sure you have a written policy and procedure for each of the requirements!

Don’t sit back and assume you are ok because you have a process, make sure you have proper documentation to support your compliance with HIPAA regulations.

Final Word on HIPAA Compliance and Documentation – If it isn’t documented, it isn’t done. Take initiative, review, analyze, and verify. Your compliance level is only as good as the documentation you have to support it. Be diligent, dig through documentation, and feel confident with your compliance with HIPAA.