Posted by: Pabrai
The Policies and Procedures (§ 164.316(a)) requirement in the HIPAA regulation states that organizations will implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the regulation. An organization may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with regulation mandates.
The HITECH Act includes requirements for policies and procedures for complying with the Data Breach notification provision. In addition your organization – be it a covered entity or a business associate – may be required to also comply with State mandates for personal data or personal information of a resident of the State whose information you may manage or process.
As you review and update policies to comply with HIPAA, HITECH and State mandates, I would encourage you to not limit the scope of your policies to EPHI, or PHI. Go beyond and ensure that your policies address all Personally Identifiable Information (PII) that your organization comes into contact with or manages.
Reasonable and Appropriate
The NIST 800 66 Revision 1 document is an excellent place to start to better understand requirements for complying with HIPAA policies and procedures. Questions you need to address include:
- Are reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the HIPAA Security Rule in place?
- Are policies and procedures reasonable and appropriate given:
- The size, complexity, and capabilities of the covered entity;
- The covered entity’s technical infrastructure, hardware, and software security capabilities;
- The costs for security measures; and
- The probability and criticality of potential risks to EPHI?
- Do procedures exist for periodically reevaluating the policies and procedures, updating them as necessary?
NIST 800 122 – A Critical Reference for Policies
As you look to revise and update your policies, you should also reference the NIST Special Publication NIST SP 800 122 which is focused on Personally Identifiable Information (PII). Given the multitude of information privacy and security regulations that covered entities and business associates have to comply with, it is best to set the dial tone in organizational policies to not be limited to EPHI, or PHI, but to cover all PII.
So when is the last time you updated your policies? Did you update it to address PII?