Although it is not a new requirement, it is important and therefore worth a reminder: HIPAA requires covered entities to establish and implement written policies and procedures that are consistent with its Privacy and Security Rules.
As discussed in an earlier blog, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has begun its Phase 2 HIPAA Audit Program. The Program will focus on the policies and procedures adopted and employed by covered entities and their business associates to meet the requirements of the Privacy, Security, and Breach Notification Rules. Furthermore, if a group health plan is selected for an audit, it would have a very short time to produce its policies and procedures (i.e., 10 business days). If the group health plan does not comply (for example, because it does not have policies and procedures), the OCR will likely impose corrective measures which could include costly civil monetary penalties.
HIPAA policies and procedures have important functions, including but not limited to:
- Limiting uses and disclosures of Protected Health Information (“PHI”) to the minimum amount reasonably necessary to achieve the purpose of the use or disclosure;
- Identifying the workforce members who need access to PHI and electronic PHI (“e-PHI”) to carry out their duties, the categories of PHI that they need, and any conditions under which they need the PHI to do their jobs;
- Ensuring appropriate protection of e-PHI when it is transferred, removed, disposed and electronic media is re-used; and
- Ensuring that e-PHI is not improperly altered or destroyed.
However, it is not sufficient for a group health plan to merely adopt its HIPAA policies and procedures. A group health plan must also:
- Designate a privacy and security official to develop and implement policies and procedures;
- Train applicable workforce members on its policies and procedures as necessary for them to carry out their functions, and apply appropriate sanctions against workforce members who violate its policies and procedures;
- Periodically assess how well its policies and procedures meet the requirements of the Security Rule; and
- Designate a contact person responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
There is no template for HIPAA policies and procedures. Instead employers have the flexibility to design policies and procedures that are appropriate for their size, organizational structure, and risks to PHI and e-PHI. Furthermore, as employers evolve, so should their policies and procedures. For example, if an employer adopts a telework policy, it may wish to review whether its policies and procedures appropriately address issues involving remote access.
In summary, although not a new requirement, due to new technologies, evolving business practices, and impending HHS audits, employers may want to review their HIPAA policies and procedures to make sure that they are compliant and up-to-date.