Formulating a written set of policies and procedures regarding privacy, security, and breach notification is one of the main requirements for HIPAA compliance, and one of the first things HHS auditors will ask to see when they visit your office.
What’s the difference between a policy and a procedure?
A policy spells out a practice’s values and the expected behaviors. It addresses the questions “what?” and “why?” A procedure, on the other hand, details the action required to deliver on the practice’s stated values. It answers the questions “how?” “where?” and “when?”
As an example, here’s how policies and procedures regarding verification of identity might be addressed in the policy and procedure document developed by a practice:
Verification of identity – Our practice will not disclose patient information to persons who do not have the authority to access the information. (That’s the policy.) If a person asks for information about a patient, and we do not know the person and/or we are not sure that the person has the authority to access the requested information, our privacy officer is responsible for verifying the person’s identity and authority to get the patient information requested. (That’s the procedure.)
Why does a practice need written policies and procedures?
I think it’s safe to say that most people who work in a dental office probably haven’t read the HIPAA regulations in their entirety – or even at all. At 500-plus pages, the Health Insurance Portability and Accountability Act – authored by lawmakers – isn’t exactly a beach read.
Policies and procedures are intendedto make the requirements of the HIPAA law understandable to the staff. Policies and procedures translate HIPAA’s requirements and restrictions into language that’s clear and easy to put into practice.
What do policies and procedures cover?
A practice needs to have policies and procedures for HIPAA’s requirements for privacy, security, and breach notification. Within those topics, there are many sub-topics, including such things as General Policies Regarding the Use and Disclosure of PHI, Business Associate Agreements, Release of Information to a Minor’s Parents, and Request to Amend a Patient Record, to name just a few.
What about using templates?
Some dentists believe the solution to HIPAA’s policies and procedures requirement is to buy a bunch of templates, fill in all the blanks that say “Name of Practice,” put those pages in a binder, slide the binder on a shelf, and be done with it.
Templates can provide an acceptable starting point, but policies and procedures need to be specific to each practice. Ideally, the office’s privacy officer and key staff members should be involved in formulating how HIPAA-related matters are addressed. With each issue a template focuses on, the team should ask, “Does this really reflect the way we handle this issue?” If it doesn’t, that section of the template needs to be modified accordingly.
If a practice merely fills in blanks without customizing the content, and if an auditor sees that the written policies and procedures don’t match the way the office actually does things, in addition to violating HIPAA, the practice could be subject to fines based on other laws, as well.
Your practice’s go-to guide
Policies and procedures are not meant to gather dust on a shelf. They should be shared with the entire staff, readily available to new hires, revisited often, and continually updated. A dental office’s policies and procedures play an essential role in the day-to-day functioning of the practice and its commitment to HIPAA compliance. The pages of that document should be dog-eared. Its place on the shelf should often be empty. In other words, your practice’s policies and procedures should be as much a part of daily life in the office as small talk about the weekend.
Roman Diaz is president and founder of Touchstone Compliance, a San Diego-based company offering a comprehensive suite of interactive online tools for meeting HIPAA standards.
