HIPAA - Policies and Procedures 164.316(a)

Overview:
A covered entity must, in accordance with § 164.306: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.

Action Items:
1) Obtain and review documentation of the policies and procedures regarding the implementation of policies and procedures required to comply with Security Rule standards, implementation specifications or other requirements.

Related Documents:
1) Documentation of the policies and procedures regarding the implementation of policies and procedures required to comply with Security Rule standards, implementation specifications or other requirements.

Additional Guidance:
The reference to § 164.306(b)(2), the Security Standards: General Rules, is specifically to the “Flexibility of Approach” provisions that outline the types of factors covered entities must consider when implementing the Security Rule. While this standard requires covered entities to implement policies and procedures, the Security Rule does not define either “policy” or “procedure.” Generally, policies define an organization’s approach. For example, most business policies establish measurable objectives and expectations for the workforce, assign responsibility for decision-making, and define enforcement and consequences for violations. Procedures describe how the organization carries out that approach, setting forth explicit, step-by-step instructions that implement the organization’s policies.

Policies and procedures should reflect the mission and culture of the organization; thus, the Security Rule enables each covered entity to use current standard business practices for policy development and implementation. Polices and procedures required by the Security Rule may be modified as necessary to meet the changing needs of the organization, as long as the changes are documented and implemented in accordance with the Security Rule.

The Policies and Procedures standard is further explained and supported by the Documentation standard.