Increases efficiency, standardizes processes, reduces mistakes, minimizes liability, offers protection from breaches, simplifies training. If you don’t know what we are talking about the answer is simple; policies and procedures.
Some people consider policies and procedures an administrative burden that is simply a waste of time yet others not only understand the need for the same but consider these policies and procedures a critical part of any process.
Perhaps a brief discussion of processes may be an easier way to visualize the importance of policies and procedures as no fast food restaurant or manufacturer could survive without clear processes and policies. Another viewpoint that could clarify policies and procedures will be that of the military as failure to create and enforce simple to follow policies and procedures could result in the loss of critical assets at the worst possible time.
Regardless of the above, and as it relates to the healthcare industry, there has been a trend where several incidents, audits and investigations end up identifying the lack of up to date policies and procedures as an area that requires improvement. The importance given to policies and procedures has been such that they have included mandatory fines to those entities that fail to create and maintain policies in a number of topics.
Looking at it from an objective point of view, and understanding that communication is the number one problem that all organizations face, it is no wonder that Policies and Procedures are coming to the forefront as a critical element in the implementation of HIPAA Security Standards.
As evidence of this fact we only have to look at a Department of Health and Human Services (HHS) press release (June 2012) where they mentioned a settlement between HHS and the Alaska Department of Health and Social Services (ADHSS) of $1,700,000. The settlement was due to a HIPAA Security Breach violation and was the first of its kind. On the press release HHS wrote: “In addition to the $1,700,000 settlement, the agreement included a corrective action plan that required ADHSS to review, revise, and maintain policies and procedures to ensure compliance with the HIPAA Security Rule.”
The key thing to consider is that Policies and Procedures should be consider a living document that is easy to read and follow. With that in mind there are a couple of recommendation we provide when writing and implementing Policies and Procedures.
Regardless of what you end up doing remember that, depending on the topic, Policies and Procedures and mandatory and failure to create and implement may represent an unnecessary risk for you and your organization.