Over the course of the last few years the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has investigated thousand of cases which have resulted in millions of dollars in fines and settlements for the violators. The interesting part and potentially common denominator in many of these cases are the lack of updated policies and procedures and the Corrective Action Plan (CAP) that many of these “violators” must implement as part of their settlement.

Policies and Procedures Standards are identified under 45 CFR §164.316.  Normally this standard is not included in Appendix A of the “Security Standards: Matrix”. Yet the fact Policies and Procedures are not listed in this Appendix A does not make the same a voluntary requirement. In fact, the need to have updated policies and procedures is a requirement of the law and a deficiency noted and addressed in many of the deficiencies identified in previous settlements.

Policies and Procedures do not have to be complex, but they do need to address the requirements of HIPAA Security and any peculiarities of the organization. Policies and Procedures also need to be updated on an as needed basis, but we recommend that the same be revised at least once per year.