Policyand Procedure Documentation
Outline Developed by Barney McDowell LCSWfor 2-28-03 Pragmatics of HIPAA Training
(When you read this, think of YOURSELFevery time the term Covered Entity (CE) is used.)
I. If you are a “covered entity”, you must keep written or electronicdocumentation of your compliance with HIPAA.
II. By making electronic transactions (or stipulating that you are a“covered entity” to, e.g., an insurer) then you are designated as a“covered entity”! But once a “covered entity”, the rule applies toall forms of your communication of PHI including written and oral--not justelectronic. See p. 82561-64 for administrative citations. Therefore, your policy and procedure documentation needs to addressall of those forms.
III. Below(B. 1-9) overarching principles of HIPAA’s requirements for Policy andProcedures are first listed; then very specific requirements are listed in aformat you may consider using as a template to create your own Policy andProcedure Documentation. Thismight be referred to as a manual but there are also requirements for ongoinglogging of training, complaints, sanctions, etc. Please note that this “template” is not comprehensive and HHS doesnot specify the degree of detail required beyond a one and half pagedescription in Sec. 164.530.
A. Over arching principles:
1. Administrative requirements are applicable to all policies, proceduresand documentation required throughout the regulation.
2. Your practices must be reasonably designed to comply with thestandards, implementation specifications, and other requirements of the relevantpart of the regulation.
3. Must be written in plain language and support the Privacy rules.
4. “Reasonably design” and “scalable scope” may not be interpretedto permit or excuse any action that violates the privacy regulation.
5. Policy and Procedures identified must be maintained in writing--complianceis documented.
6. Any other communication, action, activity, or designation that must bedocumented under this regulation must be documented in writing. (Writing can bein electronic or paper form).
7. Must retain documentation for at least 6 years (civilpenalties statute of limitations period) from the date of the creation or datedocument was last in effect, which ever is later.
8. Policies must establish conditions for making changes if you have notreserved the right to change your practices in your Privacy practice notice: They must include that changes to policy, procedure or documentation willnot be implemented until added to the documentation and appropriate individualsare notified.
Policyand Procedure Documentation
Disclaimer: The following is one possible outline that may suffice to meet theRule’s requirement for documentation. HHSsimply does not specify what detail they will require. We are left to speculate that for an individual private practitioner itmay be sufficient to document that you are the person, e.g, who will beresponsible for receiving and acting on patient requests (as per their rightsunder HIPAA) and that you will accommodate those requests according to theappropriate subparts. For larger companies and agencies, a great deal more detailwill no doubt be required. For analternative example, see www.medicalprivacy.unc.edu/resources_potm.htm.
I. Designating Required Personnel ß 164.530(a):
Privacyofficials must be established. Theyare point person(s) for policy implementation, development and complaintsprocess. Both a Privacy Officer and Privacy Contact need to be designated anddocumented as such (they may be same or a different person).
A. (______________________) isthe Privacy Officer and has the following job duties:
1. Maintainsawareness of relevant laws and regulation of HIPAA, including changes that mayaffect privacy practices.
3. Assuresimplementation of privacy activities and HIPAA compliance.
4. Educates and trainsworkforce on privacy issues and practices.
B. (_______________________) is the PrivacyContact and has the following duties:
1. Receives and handles complaints from patients regardingprivacy issues.
2. Provides further information and assistance regarding privacy practices
3. Reports and documents privacy activities.
II. Training the Workforce: ß 164.530(b) ofemployees in privacy and security--All members of workforce are required toreceive training on the policies and procedures and forms with respect to PHI asnecessary and appropriate for their role. As stated above the Privacy Officer ischarged with overseeing the following:
A. CEimplements policy and procedures for training.
III. Safeguards [ß 164.530(c)] must limitintentional, unintentional, and incidental disclosure of PHI to persons otherthan the intended recipient. No specific measures are required. “Weintend this to be a common sense, scalable, standard”.
IV. Complaints Process [ß 164.530(d)] requiresCE to have a mechanism for receiving internal complaints from individualsconcerning violations of the CE’s privacy practices and the requirements ofthe privacy standards.
A. Develop and implementformal process for persons to make complaints.
B. Develop process for plan of correction to process improvement whencomplaint is received or when a
mistake is identified.
C. Must have an identified contactperson for complaint process.
D. Prohibitretaliation against persons for filing a complaint or exercising any rightof the rule.
E. Must maintain a recordof complaints and brief explanation of nature and resolution if any.
F. Must be prepared torespond to complaints that may be filed with the Secretary of HHS.
V. Sanctions againstmembers of workforce who fail to comply with privacy policies or procedures ofthe CE or requirements of the rule. Doesnot apply to whistleblowers and business associates. They are addressed separately in 164.504.
A. CE must develop andimpose sanctions appropriate to the nature of the violation based on nature, severity, intentional/unintentional and if pattern of improper use ordisclosure.
B. Must have writtenpolicy and procedures for the application of appropriate sanctions
C. Must documentsanctions and violations.
VI. Refraining from Intimidating or Retaliatory Acts[ß 164.530(g)]: A CEmay “not intimidate, threaten, coerce, discriminate against, or take otherretaliatory action against”
A. an individual for filinga complaint or participating in a process prescribed by the Rule or
B. “individuals andothers” for
1. filing a complaint with the Secretary,
2. testifying, assisting or participating in an investigation, compliancereview, proceeding, or hearing under Part C of Title XI, or
3. opposing any act or practice made unlawful by Rule, provided theindividual…made the complaint in “good faith belief” that an“unlawful” act happened and that the “opposition” was made in areasonable manner without disclosing PHI in violation of the Rule
VI. Duty to Mitigate Breaches ofconfidentiality-must alleviate any harmful effect of a use of disclosure of PHIthat is known to the CE. Applies toCE’s policy and procedures and violations of the requirements of the rule. CE responsible to act on harm caused by workforce or by businessassociates. What are your policies about how you plan do this? Suggestion: Establish policy that you’ll interview relevant persons andreview documents; consult with peers and/or attorney about appropriate actions;communicate in written form to all parties asking for documentation thatspecific breach have been addressed as well as causes of breach.
VII. Patient “Rights” – specific rights havepractice or procedural elements that need policy and procedure developmentand documentation.
F. Requestsfor amending and correcting PHI
G. Requestsfor an accounting of PHI disclosures
H. Remember that HIPAA is a federal floor and that Substance Abuse TreatmentActs still apply and need to be considered in light of HIPAA standards.]
VIII. Notice of privacy practices-This writtendocument for patients requires specific elements (sample form provided). The Privacy Notice must be given to the client, posted on the web, etc.as discussed in detail in another section, but it also has to be accounted forin the Policy and Procedure Documentation. Any changes must be documented prior to the effective date of change,though changes to the Privacy Notice may retroactively apply as long asthe Notice claimed the right to revise at a later date.
IX. Business associate relationship requirements. Business associate contracts ensure compliance by your business partnerswith HIPAA. Obviously, a contractis a document but you must document necessary policy and procedures abouthow you will go about developing and maintaining Business Associaterelationships.
B. Whatsystem do you have to monitor these relationship and communications betweenthem? Who? What?
X. Oral communications that need documentingrelate to what is needed to meet the “standard” for providing disclosurehistory. Not all need to be documented and patient access only applies to thedesignated record set. Must have policy to guide procedures. Do you have a policy about using client names in your waiting rooms? Ifyou have an office coordinator or secretary, do you have policies about how theywill use or disclose oral communications about the client?