
The Ultimate HIPAA Compliance Checklist for 2022
Read articleAt the heart of HIPAA compliance lies one overarching goal: to secure protected health information (PHI).
But how do individual employees ensure they’re safely handling PHI in their day-to-day roles?
Enter: HIPAA policies and procedures.
Businesses must create and implement a set of policies and procedures that break down the complex HIPAA rules into instructions that are simple to understand and follow.
Below, we cover what HIPAA policies and procedures look like, examples of necessary policies, and how to create your own.
The HIPAA law was passed in 1996 and was created to safeguard PHI, which includes everything from your name and address to prescriptions and test results.
To ensure businesses are protecting PHI properly, employees must follow specific instructions. This is where HIPAA policies and procedures come into play.
Policies and procedures are essential to HIPAA compliance — and are required by HIPAA law. Failure to develop and implement policies and procedures is a HIPAA violation, which can lead to financial and criminal penalties.
Aside from being required by law for HIPAA compliance, policies and procedures offer additional benefits for organizations, including:
The Ultimate HIPAA Compliance Checklist for 2022
Read articleHIPAA outlines a series of rules that organizations must adhere to in order to be HIPAA compliant. A few of the main ones are the Privacy Rule, Security Rule, and Breach Notification Rule.
Below we dig into specific policies that apply to each.
The Privacy Rule regulates the use and disclosure of PHI. The rule requires that businesses properly safeguard PHI and gives patients greater control over who can access their medical information.
This HIPAA rule applies to any business that has access to patient information that, if compromised, could harm a patient’s finances or reputation or result in fraud.
The Privacy Rule is enforced by the Department of Health and Human Services Office of Civil Rights (OCR), state attorneys general, and Centers for Medicare and Medicaid Services (CMS).
Examples of policies and procedures under this rule include:
The HIPAA Security Rule explains how businesses should safeguard PHI.
Under the Security Rule, there are three types of safeguards to protect patient information from breaches.
Additionally, businesses need to practice risk management and conduct risk assessments to ensure that the PHI is secure.
Examples of policies and procedures under this rule include:
The Breach Notification Rule requires organizations to notify affected individuals and the Department of Health and Human Services (HHS) when unsecured PHI has been breached.
To avoid a fine from the OCR, organizations must send notifications to affected individuals within 60 days of the breach being identified.
Notifications must explain what happened, what information was compromised, how the business is responding to the breach, and how it will prevent future breaches.
Examples of policies and procedures under this rule include:
Business associates are third parties that a covered entity shares PHI with. There are certain policies and procedures required by HIPAA to ensure that these third parties are also doing their part to protect PHI.
This includes a contract stating the acceptable and unacceptable uses of PHI by the third party known as a Business Associate Agreement (BAA). Businesses should also create policies and procedures to monitor these relationships over time, corrective actions in the event of a breach, and termination.
What Is a HIPAA Business Associate Agreement? [Free Template]
Read articleWe explain the process of creating and managing your HIPAA policies and procedures below.
Policies and procedures include three key elements: the purpose, the scope, and the procedures.
To design effective procedures, simplify the language and remove any complex HIPAA jargon to make it easier for employees to understand.
Once policies and procedures have been written, your team needs to be able to understand and share them. Keep these policies somewhere that employees can easily access them, such as a company knowledge base.
It’s not enough to share these documents with your staff. You must also provide HIPAA training to help them better understand the organization's policies and procedures and how they relate to their role and responsibilities.
To ensure your policies and procedures stay up to date, your business should appoint a team to regularly review, approve, and finalize any changes or updates to policies and/or procedures. When changes have been made they should be noted within the policy’s version history.
When changes occur, a business may need to do refresher trainings with their staff or update their BAAs. All HIPAA policy changes must be documented and maintained for a minimum of six years.
Creating policies and procedures from scratch can feel overwhelming — especially with the number of policies you need for HIPAA compliance.
Secureframe can help you simplify the entire process by providing you with policy templates that can be tailored to the specific needs of your organization.
To learn more, request a demo with our team today.