The Requirements for Written Privacy Policies and HIPAA Law
-
Administrative Requirements
-
HIPAA law centers around two primary objectives designed to safeguard health information: privacy and security. An organization's administrative requirements fall under the security rules set forth under HIPAA. According to the University of Miami, these rules lay out certain standards and guidelines for implementing an organization's administrative requirements. Written privacy policies function as formal policies and procedures within an organization that address health information management, maintenance, employee roles and security measures designed to protect patient health information. In their entirety, these requirements provide a security framework for how organizations and employees access and use patient health information. Employee training, the assigning of a HIPAA security officer and regular reviews of current policies are also included under administrative requirements.
Access and Tracking Requirements
-
Written privacy policies under HIPAA law require health organizations to create policies and procedures that outline access authorizations and methods for tracking for patient health information according to the HIPAA Survival Guide. Access authorizations involve identifying which personnel require access to the system and setting limitations on access based on the amount of information needed to fulfill an employee's job responsibilities. Tracking requirements involve developing policies and procedures for monitoring activity within patient records and developing punitive measures when violations are detected. Written privacy policies also identify designated areas for computer stations and any security measures involved with accessing these workstations. Policies and procedures addressing business associate contracts are also required for organizations that work with third-party contractors or associated agencies.
Risk Management Requirements
-
As part of HIPAA requirements, health-related organizations must develop policies that identify their risk management and security procedures, according to HIPAA Survival Guide. Risk management procedures describe how an organization goes about detecting, correcting and containing any security violations that arise. A plan for identifying areas of risk and vulnerabilities within an organization's operational procedures also falls within the risk management requirement. Policies must also address employee awareness of security measures in formal training programs. Written privacy policies regarding security procedures must include an emergency contingency plan for accessing patient information in the event of system failure, fire or any event that renders a system network inoperable. Contingency plans include methods for backing up system data and recovering lost system data and maintaining business processes during an emergency event.
-