Policies, Procedures, and Documentation Requirements
You may not be aware that 75% of HIPAA requirements are the policies, procedures, and documentation you have in place. Although the security rule covers the security policies and procedures, it is important to note that most practices have not updated their privacy policies and procedures, and this could result in fines and penalties as well. The Office for Civil Rights (OCR) is the governing body that enforces HIPAA. The OCR looks for consistency, so review your Notice of Privacy Practices and your Privacy Policies and Procedures to ensure you are consistent. This will be critical in an audit situation. Consistency is the key!
The OCR says…IF IT’S NOT DOCUMENTED, IT’S NOT DONE!
Policies and Procedures 45 CFR § 164.316(a). Since the security rule was written to accommodate the smallest medical practice to the largest hospital, there is a lot of room for flexibility. Keep in mind, it MUST be documented. Policies and procedures should reflect the how data is transmitted, how it is stored, and the workflow of the organization. Policies and procedures will be forever changing as the organization continues to grow and technology changes.
Documentation 45 CFR § 164.316(b)(1) This is where you need to be diligent. You can have the BEST policies and procedures in place but if you do not document your compliance, it does not count. The OCR does not care what you have planned in your head, if it has not been put ink to paper, it does NOT exist! The three areas that must be addressed:
Time Limit 45 CFR § 164.316(b)(2)(i) You must store your documentation for at least 6 years from the date of creation or the last date it was in effect, whichever is later. Some organizations may need to retain the documentation for a longer period based on state law or accreditation requirements or other business needs.
Availability 45 CFR § 164.316(b)(2)(ii) Your data must be available to those persons when needed to implement the procedures. This can be made available in printed or digital form.
Updates 45 CFR § 164.316(b)(2)(iii) Organizations must review and update their policies and procedures as needed, such as operational or environmental changes. Aris understands the dilemma most organizations face with trying to comply with all of these regulations. We are here to help our clients through Partnership, Education, and Support.
Let Aris work with you for an easy online path to HIPAA compliance