Ours Checklists are comprised of checklist items. In general, each checklist item contains the following: 1) a policy statement; 2) a definition of a process that underpins the policy; and 3) suggested tracking mechanism(s) to capture process results. Checklist items will be named using the following convention:
- prefix name of the Rule (e.g. "PR" is short for the HIPAA Privacy Rule);
- followed by a dash;
- followed by the sub-segment of the PR (e.g. UD for uses and disclosures);
- followed by a dash;
- followed by a four digit unique identifier;
- followed by the name of the checklist item.
For example, "PR-UD-0001 Violation" is the name of a hypothetical checklist item. We have broken down the PR into the following three sub-segments: 1) Uses & Disclosure ("UD"); 2) the Patient's Bill of Rights ("PBR"); and 3) the Administrative Requirements ("AR"). Progress on the Checklist directly correlates to progress on your Privacy Rule
What is a Policy?
The word "policy" can be used in so many ways that it bears some exploration, especially regarding HIPAA
regulatory compliance. We often talk of "developing a policy," or of "implementing a policy" or of "carrying out a policy." For example, 45 CFR §164.530 (i)(1)
states as follows:
Standard: Policies and procedures
. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D
of this part.
Notice that the standard above makes a distinction between policies versus procedures. In general, think of a "policy" as a purposeful set of decisions or actions usually in response to a problem that has arisen. From a compliance perspective, a policy is a set of statements, including decisions and actions regarding what an organization intends to do in order to meet its regulatory requirements (e.g. see our Breach Notification Policy
). A policy indicates what
an organization intends to do and is often also used as a communications vehicle of that intent.
What is a Process?
A process is a repeatable series of steps that are accomplished over time. From a HIPAA regulatory compliance perspective, processes are how policies get implemented. Policies without processes are nothing more than empty promises and will not prevent serious compliance liability. HHS will required evidence of policies and processes. For example, the Privacy Rule
in section 45 CFR §164.530 (b)(1)
states the training requirement as follows:
A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D
of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
The requirement expressly states that the training must cover both your organization's policies with respect to the Privacy Rule
and your underlying processes. Notice that nothing in the standard indicates how the required training should be carried out. The training standard has a corresponding implementation specification that reads as follows:
(2) Implementation specifications: Training.
(i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows:
(A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity;
(B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and
(C) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section.
(ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
Again, although the implementation specification speaks to when training is required and the fact that it must be documented, it does not prescribe how your training should be conducted. Your training process is the vehicle used to specify, with a degree of detail and rigor, how your training will be carried out (e.g. formal classroom training, audited video training, self help training, etc.).
What is a Tracking Mechanism?
A tracking mechanism is a way to keep track of process results. For example, QuickBooks
is a tracking mechanism for accounting data and processes. You must be able to track the results of your compliance processes if you hope to provide visible demonstrable evidence that you are meeting regulatory requirements. Your HIPAA training policy indicates your compliance training intentions; your training process is how you go about fulfilling those intentions; and your tracking mechanism must capture the results of your training process (i.e. how well you did in meeting your intentions). HHS will likely want to see evidence of all three components, but if you cannot show process results, then your entire training initiative is likely to be suspect
There are many compliance processes that require tracking (as discussed throughout this Checklist) including, but not limited to the following:
1) patient privacy notice provisioning process;
2) patient authorization process;
3) patient restriction request process;
4) patient complaint process;
5) patient record access request process; and
6) workforce training process.
This "short list" of processes is not exhaustive but rather illustrative of the scope and magnitude of what needs to be tracked in order to move your organization along the compliance continuum toward full compliance.
How should your compliance processes be tracked? It is no longer reasonable to track compliance processes on paper (if it ever was). You are going to need a suitable Intranet
, spreadsheets, and/or HIPAA compliance software
in order to track and report effectively. We recommend the latter because it is the most economically viable option, even for small covered entities and business associates.
In this Issue of our Newsletter we are providing an "early release" of our Scorecards. Subsequent releases will contain more explanatory material including how our Checklist Items map to HHS' 169 requirements. However, none of the subsequent releases will make much sense until, at a minimum, you have interacted with the Scorecards enough to obtain basic familiarity.