On this blog, we have discussed the criticality of risk analyses – the assessment required by the Security Rule of the “risks and vulnerabilities” that an organization faces with respect to all of its electronic protected health information (ePHI). A frequent theme in settlements with the Office for Civil Rights (OCR), risk analyses are a required element of the Security Rule, and an extremely important one. However, just as required, and just as key, to HIPAA compliance is the requirement to draft and implement policies and procedures.
The OCR Deputy Director for Health Information Privacy, Deven McGraw, recently spoke at a conference and highlighted the role of policies and procedures in OCR’s audit program.[i] She explained that one of the first things OCR will ask to see in an audit are policies and procedures, and OCR will judge compliance based on what an entity has in place.
Both the HIPAA Security Rule and the Privacy Rule require the creation, maintenance, and implementation of reasonable, documented policies and procedures. Under the Privacy Rule, an organization must evaluate “the size and type of activities that relate to PHI undertaken by a covered entity” and cover the requirements of the Privacy Rule and the Breach Notification Rule.[ii] Similarly, the Security Rule also requires that both covered entities and business associates establish written policies and procedures covering each element of the Security Rule.[iii] The Security Rule requirements are designed to be flexible and scalable, and so adoption of “reasonable and appropriate measures” and the corresponding policies and procedures should account for the four factors listed in 45 C.F.R. 164.306(b):
- “The size, complexity, and capabilities of the covered entity or business associate.
- The covered entity’s or business associate’s technical infrastructure, hardware, and software capabilities.
- The cost of security measures.
- The probability and criticality of potential risks to electronic [PHI].”
It is not enough simply to have the policies and procedures – covered entities and business associates are expected to make them available to their workforce members, train workforce members on them and monitor their implementation.[iv]
Covered entities and business associates are both included in the current, ongoing round of audits, in which on-site audits are purported to begin soon.[v] With OCR increasing its enforcement arsenal, it is important for both covered entities and business associates to ensure that they have their “ducks in a row” and that their policies and procedures are in place in order to avoid further scrutiny from OCR. To learn more about compliance with the HIPAA Privacy Rule, see “10 Things You Don't Know About the Privacy Rule” here.
[i] B. Siwicki, “OCR Deputy: Have policies in place to avoid a HIPAA review,” HealthcareITNews (Aug. 10, 2017), http://www.healthcareitnews.com/news/ocr-deputy-have-policies-place-avoid-hipaa-compliance-review
[ii] 45 C.F.R. 164.530(i)-(j).
[iii] 45 C.F.R. 164.316.
[iv] 45 C.F.R. 164.530(b); 45 C.F.R. 164.316.
[v] “HIPAA Privacy, Security and Breach Notification Audit Program,” available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html (last visited Aug. 15, 2017).