Our HIPAA Privacy Rule Checklist ("Checklist") is intended to deliver guidance, including suggested policies, processes, and tracking mechanisms that will allow you to make sense of this new terrain. It is intended as a knowledge transfer vehicle that allows you to derive the HIPAA Privacy Rule compliance solution that works best within your organization. Our Checklist will “walk you through” the relevant statutory/regulatory sections of the HIPAA Privacy Rule, highlighting the policies, processes and tracking mechanisms required at a granular level.
Our Checklist is comprised of Checklist Items that have the following components:
1) a policy statement that reflects an organization's intentions: the what;
2) a definition of a process by which the policy is implemented: the how; and
3) suggested tracking mechanism(s) for capturing process results: the measurement.
The word “policy” can be used in so many ways that it bears some exploration, especially for our purposes (i.e. as it pertains to HIPAA regulatory compliance). We often talk of “developing a policy,” or of “implementing a policy” or of “carrying out a policy.” For example, 45 CFR §164.530 (i) states as follows:
Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.
Notice that a distinction is made between policies versus procedures. In general, we can think of a “policy” as a purposeful set of decisions or actions usually in response to a problem that has arisen. From a compliance perspective, a policy is a set of statements, including decisions and actions, regarding what an organization intends to do with respect to meeting its regulatory requirements (e.g. see our Breach Notification Policy). A policy indicates what an organization intends to do and is often also used as a communications vehicle of said intent.
A process is a repeatable series of steps that must be accomplished over time. From a HIPAA regulatory compliance perspective, processes are how policies get implemented. Policies without processes are nothing more than empty promises and will not prevent serious compliance liability. HHS is going to want to see evidence not only of policies but of processes as well. Every Checklist Item contains process suggestions that will enable you to quickly "stand-up" your Privacy Rule Compliance initiative.
A tracking mechanism is a way to keep track of process results. For example, QuickBooks is a tracking mechanism for accounting data and processes. You must be able to track the results of your compliance processes if you hope to provide visible demonstrable evidence that you are meeting your regulatory requirements.