Presentation is loading. Please wait.

Presentation is loading. Please wait.

Writing Effective HIPAA Privacy and Security Policies and Procedures September 21, 2007 by Catherine Boerner, JD.

Published byBryan Floyd Modified over 9 years ago

Similar presentations

Presentation on theme: "Writing Effective HIPAA Privacy and Security Policies and Procedures September 21, 2007 by Catherine Boerner, JD."— Presentation transcript:

1 Writing Effective HIPAA Privacy and Security Policies and Procedures September 21, 2007 by Catherine Boerner, JD

2 2 Objectives  Keep it Real  Provide Practical Examples  Provide Helpful Tips

3 3 Why you Need Policies and Procedures Clear communication Explain the way an organization operates Prevent chaotic daily operations Prevent frustration

4 4 Consider keeping unwritten when: Involves organizational culture and norms Cannot be consistently enforced Potentially offensive or intrusive It simplifies Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell Written versus Unwritten

5 5  Always put a P&P in writing if the issue is one of: Accountability Clarity Consistency Critical Importance Documentation Health or Safety Legal Liability Licensing or regulatory requirements Serious consequences Written versus Unwritten

6 6 Why you Need HIPAA Policies and Procedures Tell the reader: What the Organization wants done (Policy) Why it wants it done (Purpose) How to do it (Procedure)

7 7 Effective Policy The skill necessary for good policies is not writing. It’s decision making. Start with a clear decision, then proceed with good writing. Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

8 8 Degree of Ambiguity in Policies 1) User’s ability to understand and deal with the policy. How well will they cope? 2) Managers’ ability to understand the policy and willingness to enforce it. How much training will they need? 3) The intensity of the issue and the organization’s commitment to it. How closely does the organization wish to control the matter? Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

9 9 What the Organization wants done: Use short sentences: “The absolute maximum is twenty words.” Use common words: Don’t get fancy. Common words are common for a reason: They work. Everyone understands them. They’re fast and easy. And they’re usually short. Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

10 10 What the Organization wants done: Use words with precision:  “Say what you mean and mean what you say”  Examine every statement to be sure it accurately reflects the subject’s content and the organization’s intent. Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

11 11 What the Organization wants done: Avoid promissory language:  The word will means that you are committed to that position or action.  The word shall is the strongest legal commitment you can make. If you use them, mean them. Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

12 12 Example: HIPAA Privacy & Security = Business Associate Agreements P&P What the Organization wants done: Hospital X will allow its business associates to create, receive, maintain, or transmit protected health information (PHI) on its behalf, if Hospital X obtains satisfactory written assurance that the business associate will appropriately maintain the privacy and security of the PHI and fulfill HIPAA business associates obligations.

13 13 Example: HIPAA Privacy & Security = Business Associate Agreements P&P What the Organization wants done: Hospital X will obtain a signed Business Associate Agreement (BAA) from Business Associates who are allowed to access, use or disclose Protected Health Information (PHI).

14 14 Example: HIPAA Privacy & Security = Business Associate Agreements P&P Why the Organization wants it done: To comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), privacy and security regulations including 45 CFR 164.502(e), 164.504(e), 164.308(b)(1), and 164.314(a).

15 15 Example: HIPAA Privacy & Security = Business Associate Agreements P&P Why the Organization wants it done: To comply with the law! 45 CFR 164.502(e)(1) – (4) (HIPAA Privacy) 45 CFR 164.504(e) (HIPAA Privacy) 45 CFR 164.308(b)(1) (HIPAA Security) 45 CFR 164.314(a) (HIPAA Security)

16 16 Example: HIPAA Privacy & Security = Business Associate Agreements P&P Why the Organization wants it done: To help ensure that adequate privacy and security safeguards are in place when Hospital X provides Protected Health Information (PHI) to a Business Associate (BA).

17 17 Example: HIPAA Privacy & Security = Business Associate Agreements P&P Exceptions A Business Associate Agreement is not required when PHI is disclosed to a Business Associate for the purposes of Treatment. See 45 CFR 164.502 (e)(1)(ii)

18 18 Example: HIPAA Privacy & Security = Business Associate Agreements P&P Exceptions A Business Associate Agreement is not required when PHI is disclosed by a group health plan or a health insurance issuer or HMO with respect to a group health plan to the plan sponsor, to the extent that the requirements of § 164.504(f) apply and are met; or See 45 CFR 164.502 (e)(1)(ii)

19 19 Example: HIPAA Privacy & Security = Business Associate Agreements P&P Exceptions A Business Associate Agreement is not required when PHI is used or disclosed by a health plan that is a government program providing public benefits, if eligibility for, or enrollment in, the health plan is determined by an agency other than the agency administering the health plan, or if the protected health information used to determine enrollment or eligibility in the health plan is collected by an agency other than the agency administering the health plan, and such activity is authorized by law, with respect to the collection and sharing of individually identifiable health information for the performance of such functions by the health plan and the agency other than the agency administering the health plan. See 45 CFR 164.502 (e)(1)(ii)

20 20 Example: HIPAA Privacy & Security = Business Associate Agreements P&P Definitions  Business Associate (BA)  Business Associate Agreement (BAA)  e-PHI  Protected Health Information (PHI)  Use  Disclosure  HIPAA  Treatment

21 21 Procedure = How to do it Explain clearly the steps required to meet the goal of what the organization wants done. Ensure accuracy by referring to information provided by regulatory and accrediting agencies, company policy, or applicable laws. Include this information as a reference.

22 22 Example: HIPAA Privacy & Security = Business Associate Agreements P&P How to do it (Procedure) : How will Hospital X obtain a signed Business Associate Agreement (BAA) from Business Associates who are allowed to access, use or disclose Protected Health Information (PHI)?

23 23 Making Policies and Procedures Effective Who will this P&P effect? Who should we involve? When should we involve them?

24 24 Example: HIPAA Privacy & Security = Business Associate Agreements P&P How to do it (Procedure) : Hospital X will review 1099 tax forms to identify current vendors and then identify which vendors business arrangement allows access, use or disclose of PHI.

25 25 Example: HIPAA Privacy & Security = Business Associate Agreements P&P How to do it (Procedure) : Business associates are required to enter into Hospital X’s BA Agreement prior to performing services. No access to PHI will be allowed, no account will be set up, and no money will be paid for products or services until the contract is signed. Remember: If you say it mean it, otherwise don’t say it.

26 26 Example: HIPAA Security = Remote Access P&P What the Organization wants done (Policy) Why it wants it done (Purpose) How to do it (Procedure)

27 27 Example: HIPAA Security = Remote Access P&P What the Organization wants done (Policy) Anyone accessing electronic protected health information (ePHI) on the network from an off- site location must be authorized to access the ePHI and authorized to work remotely.

28 28 Example: HIPAA Security = Remote Access P&P Why it wants it done (Purpose) To help protect and safeguard ePHI when accessed by users remotely.

29 29 Example: HIPAA Security = Remote Access P&P Why it wants it done (Purpose) To comply with the law! 45 CFR 164.312(a)(2)(iii) (HIPAA Security) 45 CFR 164.308(a)(3)(ii)(B)(HIPAA Security) 45 CFR 164.308(a)(3)(ii)(C)(HIPAA Security) 45 CFR 164.308(a)(4)(ii)(B-C)(HIPAA Security)

30 30 Example: HIPAA Security = Remote Access P&P How to do it (Procedure) Workforce members must apply for remote access connections by completing a “Request for Access” form. All remote access users requesting remote access must sign and comply with the “Information Access & Confidentiality Agreement.”

31 31 Example: HIPAA Security = Remote Access P&P How to do it (Procedure) Remote access user who violate this policy and/or the “Information Access & Confidentiality Agreement” are subject to sanctions and/or disciplinary actions, up to and including termination of employment or contract.

32 32 Techniques and Styles  Step-by-Step Listing  Playscript  Action-condition logic  Decision tables

33 33 The Policy and Procedure Writer’s Oath “I do solemnly swear to avoid excess verbiage, fancy phrasing, and long words and sentences. I will resist the temptation to display my grammatical mastery and linguistic skill. I will devote myself to the pursuit of short, clear messages. I will dazzle with speed and clarity.” Source: Writing Effective Policies and Procedures: A Step-by-Step Resource for Clear Communication by Nancy J. Campbell

34 34 Contact Information Catherine M. Boerner, J.D. President (414) 427-8263 Cboerner@boernerconsultingllc.com

35 35 Questions

Download ppt "Writing Effective HIPAA Privacy and Security Policies and Procedures September 21, 2007 by Catherine Boerner, JD."

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Protection of privacy for all Students!

Protection of privacy for all Students!
WRSU Customer Service The Beauty of Change. Privacy and Confidentiality.

WRSU Customer Service The Beauty of Change. Privacy and Confidentiality.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

Similar presentations

Ads by Google