Health Information Management

The four steps of HIPAA policy creation

HIM-HIPAA Insider, October 11, 2011

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

HIPAA policy creation is ultimately a four-step process, says Phyllis A. Patrick, MBA, FACHE, CHC, president of Phyllis A. Patrick & Associates, LLC, in Purchase, NY. She describes the steps as follows:

  • Develop your policy. "To develop a policy you have to have input from your stakeholders," says Patrick. For example, a sanctions policy requires input from HR managers, she says. The sanctions policy should also be cross-referenced in your organization's HR policies. Ensure that policies are not contradictory—Patrick often sees this problem. For example, if an HR policy and sanctions policy say different things, people involved in policy development are not communicating and developing policies together. "It's everybody's job," she says. And write policies in a tone and style that ensures your staff will easily understand them; write for the masses, Patrick says. Have your legal department review all of the policies as a final step.
  • Review and approve your policy. The approval process sometimes is unclear, Patrick says. Someone may write a policy and store it in a binder, but fail to get approval from a governing body, board committee, or group of senior leaders. "Somebody's got to approve it," she says. Be consistent with respect to all of your organization's policies and note the review and approval of every new policy.
  • Communicate your policy. "It's sort of the who, what, when, and where," says Patrick. "How do you communicate your policies?" Involve other departments (e.g., HR, PR, marketing) so that your privacy officer is not a lone voice communicating to staff members. "Organizations need to think that through," she says. After distributing policies to management, follow up to ensure they have communicated that information to frontline staff.
  • Document your policy. Post your policies online for all to see, but keep a binder with paper copies as well, says Patrick. When the Office for Civil Rights or another agency visits your organization, you can simply hand over the binder. "It's all included, it's simple, it's organized, and it's easy," she says, adding that the last thing you want is staff members scrambling to organize paperwork.
Editor’s note: For more advice on self-disclosure, access the article in its entirety in the September issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular