Practical Advice for Effective Policies, Procedures (HIPAA on the Job)

by Margret Amatayakul, RHIA, FHIMSS

Most HIPAA project managers are putting finishing touches on policies and procedures, getting them approved, and preparing training materials to meet the April 14, 2003, compliance deadline for privacy rule implementation. But it’s not enough to just write policies and procedures: policies need to be statements that provide managerial guidance and procedures need to be operational reflections of those policies. Here’s how to create the most effective policies and procedures for your organization.

Policy, Procedure, and Documentation Requirements

Policies direct workers to take action consistent with legal, ethical, and organizational requirements. Procedures provide explicit, step-by-step instructions. Together, they guide the documentation required to substantiate actions. HIPAA specifically requires documentation of communications required by the rule to be in writing as well as records of any required action, activity, or designation.

Effective Policies and Procedures

Most organizations have policy and procedure guidelines and often a prescribed format. Some organizations are reviewing their guidelines in light of the volume of HIPAA policies and procedures. “Key Elements of Policies and Procedures” provides the most common elements included in policies and procedures.

Writing the Policy

The essential elements of a policy statement are:

  • measurable objectives and expectations
  • designation of responsibilities
  • enforcement and consequences for violations

Policies are broad, high-level statements from management that document their directives. Policies should be concise, but substantive. Consider the following steps to create effective policies:

1. Read the rule pertinent to the policy to be written. For example: “A covered entity must permit an individual to request restrictions on uses or disclosures of protected health information to carry out treatment, payment, or healthcare operations”

2. Determine the organization’s corporate position relative to the requirement. Determine if the requirement is being followed in any manner today or, if not, how key areas affected by the requirement might respond. For example, the covered entity may currently assign an alias to patients who are public figures or are in danger. There may be few other restrictions. When obtaining input from key areas affected, most caregivers will probably be reluctant to see any limits placed on information access for treatment purposes. The information technology department may report limitations in access control and audit trail capabilities

3. Armed with information about the issues, create a policy that unites the HIPAA requirement with the organization’s concerns and capabilities. For example, the policy on restrictions might read:

Patients will be given the right to request restrictions on uses and disclosures of their protected health information (PHI). Such restrictions, however, carry significant risk to the patient and to the organization.

Restrictions in the form of limited access may be accepted when the risks have been acknowledged by the patient. We have the administrative, physical, and technical capability of complying with the restriction, and the patient’s attending physician or other licensed healthcare professional finds that patient care will not be detrimentally affected.

An alias may be assigned to the patient if the patient is in danger or is a public figure whose identity could be disruptive to the provision of care, and if we have the means or the assurance to ensure that the patient’s financial obligations will be met. Any restrictions accepted will not apply if the restricted information is needed to provide emergency treatment.

4. Show the draft of the policy to the individuals who will be responsible for carrying it out. For the example above, ask patient access staff members to read and interpret the policy. They should recognize that they may be among the first to be asked about a restriction and should feel comfortable providing a request form for the patient to review. However, if these staff members believe that they can approve a limited access restriction, then the policy is not clear enough. Identify others who could be approached with this request, such as nursing personnel in the emergency department or physicians in the office. Ask caregivers when they anticipate that patients may ask for restrictions and test the policy against those scenarios

5. Draft the procedures associated with a policy as a second level of verification that they are operational. For example, draft the procedure for patient access to respond to requests and for caregivers to follow in receiving the request and accepting or denying the restriction

6. Consider charting the potential flow of information relative to the policy as a final test and first step toward implementation of the policies and procedures. Draw a flowchart depicting the path of information on which there is a restriction, and determine if it can be managed at every point. It may even be necessary to run test data through the information systems

In summary, a policy should be broadly worded to provide guidance in handling virtually any situation relative to its topic. However, that guidance must be clear enough that when a scenario is given to two different staff members, they will offer similar responses.

Writing the Procedure

Just as the policy statement must provide direction, the detailed procedural steps must permit a member of the work force to carry out the task. Consider the following steps:

1. Describe any preparation or “make-ready” tasks: Identify tools that need to be made available to perform the task or to establish the appropriate environment in which to conduct the task

2. Identify where the work is initiated: An event may initiate a task, or there may be certain repeated responsibilities

3. Provide specific instructions for processing the task, including any:

  • use of reference materials such as code sets, scripts, checklists, forms, or tools
  • decision points such as when it is necessary to escalate decision making to a supervisor or manager or when it is necessary to obtain approval from another individual
  • pending status describing when and for how long a task should be held awaiting further information or other action

4. Define what constitutes completion: This describes what the completed task or product should look like

5. Identify to whom the end result is disseminated: Identify how and to whom communications of task completion or passing work off to the next stage of steps is accomplished

6. Include requirements for supporting documentation: If performing the task requires documentation apart from the actual completion, this supporting documentation should be described

7. Define how the results are permanently stored: If the direct result of the task is documentation, or there is any supporting documentation, directions should be supplied as to how and where this documentation is stored

8. Describe any “put away” tasks: There may be steps at the end of performing the task to put away tools and other materials

Where policies should provide latitude for handling exceptions, procedures need to be as explicit as possible. Although procedures are legal documents and can be evidence in evaluating compliance, an organization with procedures that do not provide adequate instruction will generally find it more difficult to ensure compliance.

There are generally three formats that writers use to prepare detailed procedural steps. An organization should choose which format will best suit the subject of the procedure:

  • a list is the most common format. It is an enumeration of the steps, numbered in sequence, and grouped by logical categories if applicable
  • a flowchart is a format frequently used when a procedure entails many decision points. A table may substitute for symbols where there is a consistent, limited set of alternatives to follow
  • a storyboard is a less common format but can be very effective when needing to convey important instructions very quickly, such as how to use a fire extinguisher. Storyboards are also useful in environments where there are many people for whom English is a second language. Some storyboards are used to provide scripts for persons who need to ensure they convey a consistent message

Approval of Policies and Procedures

For policies to be implemented, senior management must provide approval. Many HIPAA policies and procedures reflect very complex implementation specifications. The organization’s leaders may not need to understand every nuance, but they should be informed about why the policy is needed and assured that it has undergone necessary reviews and testing.

Because HIPAA is not black and white, the organization’s leaders should understand the level of residual risk inherent in a policy. For example, a very conservative policy on accepting restrictions in only certain circumstances minimizes risk of not having information for treatment purposes and lessens the possibility of violating a restriction but may increase complaints and cause patient satisfaction scores to drop.

Consider providing a cover memo to summarize key information about which senior management is most concerned. (See “Sample Cover Memo”.)

Tracking and Monitoring

HIPAA explicitly establishes the need for many policies and procedures. A good way to identify the policies and procedures needed is to make a list of all of the privacy requirements, take an inventory of existing policies that relate to the requirements, and then identify what is missing. It might also be wise to identify which existing documents should be revised or retired. (See “Tracking Policies and Procedures” .)

In addition to tracking which policies and procedures address which standards, a tracking tool can be used for ongoing monitoring and revisions to policies.

Policies and procedures are not an end unto themselves; rather, they are the beginning of an ongoing monitoring system to ensure compliance. As such, taking care today to craft practical policies and comprehensive procedures will yield long-term compliance benefits.

Key Elements of Policies and Procedures
  • Title: identifies subject
  • Reference number: useful for internal tracking
  • Statement of purpose: may provide citations to regulations
  • Scope: defines resources covered, such as all PHI or all confidential information including proprietary business information
  • Definitions: defines terms that have special meaning
  • References: lists any external sources of information or standards
  • Effective date: the date the policy and procedure was put into place
  • Review/revision date: the date of any review and change. Policies should never be destroyed. If a policy is no longer applicable, it should be retired and placed in a permanent file. This is because it may be necessary for the organization or a member of the work force to demonstrate that a previous action was or was not consistent with the old policy
  • Authority and approval: identifies who may authorize approval
  • Rider: may be used to authenticate receipt and agreement to abide by
    Policy Statement
  • Measurable objectives and expectations: this is the primary statement of the policy
  • Responsibilities: assigns duties for implementation
  • Compliance enforcement: describes how the policy will be monitored and enforced
    Detailed Procedural Steps
  • Resources: tools and other resources required to perform the procedure
  • Detailed procedural steps: a list, flowchart, or storyboard outlining the sequence of steps to perform
  • Associated forms/screens: illustrates data entry or retrieval
  • Performance expectations: quantity and quality standards associated with tasks

Sample Cover Memo
Policy Name:
Executive Sponsor:

(This is the essence of the policy and procedure in two to three sentences.)

Affected Components: (Identifies classes of workers affected.)
Operations: (Highlights critical elements that positively and/or negatively affect the way the organization functions.)
Financial: (Identifies cash outlays as well as any ROI and/or loss avoidance that can be quantified.)

Risk Assessment:
(Describes risk of not implementing policy and procedure and residual risk after implementation.)

(Describes why the policy and procedure is created/revised [such as the HIPAA standard being met].)

Tracking Policies and Procedures
Requirement Existing
Team Date Completed Date
1. Permitted uses and disclosures None Create Uses and disclosures of PHI Mary    
4. Uses and disclosures of de-identified documentation information Medical record Create De-identification Sue Jan. 10  
5. Disclosures to business associates Release of information Revise   Mary    
13. Business associate contracts Contract management Revise   Tom    

Margret Amatayakul (margretcpr@ is president of Margret\A Consulting, LLC, an independent consulting firm based in Schaumburg, IL.

Article citation:
Amatayakul, Margret. "Practical Advice for Effective Policies, Procedures." Journal of AHIMA 74, no.4 (April 2003): 16A-D.