Our HIPAA Security Rule Checklist ("Checklist") is intended to deliver step-by-step guidance, including suggested policies, processes, and tracking mechanisms that will allow you to make sense of this complex terrain. It is intended as a knowledge transfer vehicle that allows you to derive the HIPAA Security Rule compliance solution that works best within your organization. Our Checklist will “walk you through” the relevant statutory/regulatory sections of the HIPAA Security Rule, highlighting the policies, processes, and tracking mechanisms required at a granular level.
Our Checklist is comprised of Checklist Items that have the following components:
1) a policy statement that reflects an organization's intentions: the what;
2) a definition of a process by which the policy is implemented: the how; and
3) suggested tracking mechanism(s) for capturing process results: the measurement.
The word “policy” can be used in so many ways that it bears some exploration, especially for our purposes (i.e. as it pertains to HIPAA regulatory compliance). We often talk of “developing a policy,” or of “implementing a policy” or of “carrying out a policy.” For example, 45 CFR §164.530 (i) states as follows:
Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.
Notice that a distinction is made between policies versus procedures. In general, we can think of a “policy” as a purposeful set of decisions or actions taken, usually in response to a problem that has arisen. From a compliance perspective, a policy is a set of statements, including decisions and actions, regarding what an organization intends to do with respect to meeting its regulatory requirements. A policy indicates what an organization intends to do and is often also used as a communications vehicle of said intent.
Our Checklist contains a HIPAA compliant Security Policy that can be used out-of-the-box or customized to meet your organization's specific requirements. However, our Checklist contains much more than mere policy statements. A policy is a necessary, but insufficient, component of a compliance initiative.
A process is a repeatable series of steps that must be accomplished over time. From a HIPAA regulatory compliance perspective, processes are how policies get implemented. Policies without processes are nothing more than empty promises and will not prevent serious compliance liability. HHS is going to want to see evidence not only of policies but of processes as well. Every Checklist Item contains process suggestions that will enable you to quickly "stand-up" your Security Rule Compliance initiative.
A tracking mechanism is a way to keep track of process results. For example, QuickBooks is a tracking mechanism for accounting data and processes. You must be able to track the results of your compliance processes if you hope to provide visible demonstrable evidence that you are meeting your regulatory requirements.