1 / 35

Writing Effective HIPAA Privacy and Security Policies and Procedures September 21, 2007

Learn how to create clear and effective HIPAA privacy and security policies and procedures with practical examples and helpful tips.

lhorner
Download Presentation

Writing Effective HIPAA Privacy and Security Policies and Procedures September 21, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Writing Effective HIPAA Privacy and Security Policies and ProceduresSeptember 21, 2007 by Catherine Boerner, JD

  2. Keep it Real Provide Practical Examples Provide Helpful Tips Objectives

  3. Why you Need Policies and Procedures • Clear communication • Explain the way an organization operates • Prevent chaotic daily operations • Prevent frustration

  4. Written versus Unwritten • Consider keeping unwritten when: • Involves organizational culture and norms • Cannot be consistently enforced • Potentially offensive or intrusive • It simplifies Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

  5. Written versus Unwritten • Always put a P&P in writing if the issue is one of: • Accountability • Clarity • Consistency • Critical Importance • Documentation • Health or Safety • Legal Liability • Licensing or regulatory requirements • Serious consequences

  6. Why you Need HIPAA Policies and Procedures Tell the reader: • What the Organization wants done (Policy) • Why it wants it done (Purpose) • How to do it (Procedure)

  7. Effective Policy The skill necessary for good policies is not writing. It’s decision making. Start with a clear decision, then proceed with good writing. Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

  8. Degree of Ambiguity in Policies 1) User’s ability to understand and deal with the policy. How well will they cope? 2) Managers’ ability to understand the policy and willingness to enforce it. How much training will they need? 3) The intensity of the issue and the organization’s commitment to it. How closely does the organization wish to control the matter? Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

  9. What the Organization wants done: • Use short sentences: “The absolute maximum is twenty words.” • Use common words: Don’t get fancy. Common words are common for a reason: They work. Everyone understands them. They’re fast and easy. And they’re usually short. Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

  10. What the Organization wants done: • Use words with precision: • “Say what you mean and mean what you say” • Examine every statement to be sure it accurately reflects the subject’s content and the organization’s intent. Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

  11. What the Organization wants done: • Avoid promissory language: • The word will means that you are committed to that position or action. • The word shall is the strongest legal commitment you can make. If you use them, mean them. Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

  12. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • What the Organization wants done: Hospital X will allow its business associates to create, receive, maintain, or transmit protected health information (PHI) on its behalf, if Hospital X obtains satisfactory written assurance that the business associate will appropriately maintain the privacy and security of the PHI and fulfill HIPAA business associates obligations.

  13. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • What the Organization wants done: Hospital X will obtain a signed Business Associate Agreement (BAA) from Business Associates who are allowed to access, use or disclose Protected Health Information (PHI).

  14. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • Why the Organization wants it done: To comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), privacy and security regulations including 45 CFR 164.502(e), 164.504(e), 164.308(b)(1), and 164.314(a).

  15. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • Why the Organization wants it done: To comply with the law! 45 CFR 164.502(e)(1) – (4) (HIPAA Privacy) 45 CFR 164.504(e) (HIPAA Privacy) 45 CFR 164.308(b)(1) (HIPAA Security) 45 CFR 164.314(a) (HIPAA Security)

  16. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • Why the Organization wants it done: To help ensure that adequate privacy and security safeguards are in place when Hospital X provides Protected Health Information (PHI) to a Business Associate (BA).

  17. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • Exceptions A Business Associate Agreement is not required when PHI is disclosed to a Business Associate for the purposes of Treatment. See 45 CFR 164.502 (e)(1)(ii)

  18. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • Exceptions A Business Associate Agreement is not required when PHI is disclosed by a group health plan or a health insurance issuer or HMO with respect to a group health plan to the plan sponsor, to the extent that the requirements of § 164.504(f) apply and are met; or See 45 CFR 164.502 (e)(1)(ii)

  19. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • Exceptions A Business Associate Agreement is not required when PHI is used or disclosed by a health plan that is a government program providing public benefits, if eligibility for, or enrollment in, the health plan is determined by an agency other than the agency administering the health plan, or if the protected health information used to determine enrollment or eligibility in the health plan is collected by an agency other than the agency administering the health plan, and such activity is authorized by law, with respect to the collection and sharing of individually identifiable health information for the performance of such functions by the health plan and the agency other than the agency administering the health plan. See 45 CFR 164.502 (e)(1)(ii)

  20. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • Definitions • Business Associate (BA) • Business Associate Agreement (BAA) • e-PHI • Protected Health Information (PHI) • Use • Disclosure • HIPAA • Treatment

  21. Procedure = How to do it Explain clearly the steps required to meet the goal of what the organization wants done. Ensure accuracy by referring to information provided by regulatory and accrediting agencies, company policy, or applicable laws. Include this information as a reference.

  22. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • How to do it (Procedure) : How will Hospital X obtain a signed Business Associate Agreement (BAA) from Business Associates who are allowed to access, use or disclose Protected Health Information (PHI)?

  23. Making Policies and Procedures Effective • Who will this P&P effect? • Who should we involve? • When should we involve them?

  24. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • How to do it (Procedure) : Hospital X will review 1099 tax forms to identify current vendors and then identify which vendors business arrangement allows access, use or disclose of PHI.

  25. Example: HIPAA Privacy & Security = Business Associate Agreements P&P • How to do it (Procedure) : Business associates are required to enter into Hospital X’s BA Agreement prior to performing services. No access to PHI will be allowed, no account will be set up, and no money will be paid for products or services until the contract is signed. Remember: If you say it mean it, otherwise don’t say it.

  26. Example: HIPAA Security = Remote Access P&P • What the Organization wants done (Policy) • Why it wants it done (Purpose) • How to do it (Procedure)

  27. Example: HIPAA Security = Remote Access P&P • What the Organization wants done (Policy) Anyone accessing electronic protected health information (ePHI) on the network from an off-site location must be authorized to access the ePHI and authorized to work remotely.

  28. Example: HIPAA Security = Remote Access P&P • Why it wants it done (Purpose) To help protect and safeguard ePHI when accessed by users remotely.

  29. Example: HIPAA Security = Remote Access P&P • Why it wants it done (Purpose) To comply with the law! 45 CFR 164.312(a)(2)(iii) (HIPAA Security) 45 CFR 164.308(a)(3)(ii)(B)(HIPAA Security) 45 CFR 164.308(a)(3)(ii)(C)(HIPAA Security) 45 CFR 164.308(a)(4)(ii)(B-C)(HIPAA Security)

  30. Example: HIPAA Security = Remote Access P&P • How to do it (Procedure) Workforce members must apply for remote access connections by completing a “Request for Access” form. All remote access users requesting remote access must sign and comply with the “Information Access & Confidentiality Agreement.”

  31. Example: HIPAA Security = Remote Access P&P • How to do it (Procedure) Remote access user who violate this policy and/or the “Information Access & Confidentiality Agreement” are subject to sanctions and/or disciplinary actions, up to and including termination of employment or contract.

  32. Techniques and Styles • Step-by-Step Listing • Playscript • Action-condition logic • Decision tables

  33. The Policy and Procedure Writer’s Oath “I do solemnly swear to avoid excess verbiage, fancy phrasing, and long words and sentences. I will resist the temptation to display my grammatical mastery and linguistic skill. I will devote myself to the pursuit of short, clear messages. I will dazzle with speed and clarity.” Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

  34. Contact Information Catherine M. Boerner, J.D. President (414) 427-8263 Cboerner@boernerconsultingllc.com

  35. Questions

More Related