Transcript Policy & Procedure Writing

Policy & Procedure Writing
1
Objectives
• Identify key elements to
include in a Policy and a
Procedure (P&P)
• Outline key sections of a P&P
• Posting & implementing P&Ps
• Tie these elements into writing
HIPAA P&Ps in your
organization
2
Value of Consistent P&Ps
• Support consistent
organizational processes
• Training source for
workforce
• Proof of intent/good faith
• Risk management
3
Housekeeping
• Use present tense
• Avoid the words “will”, “could”, and
“should”
• Start sentences with an action word
• Example:
– The Security Officer will train all
workforce members
vs.
– The Security Officer trains all workforce
members
• Example:
– The system is backed up nightly
vs.
– Back up the system nightly
4
Housekeeping
• Make it easy to understand
for everyone to whom the
policy applies (avoid legal
ease)
• Number each page
• Header with title
• 12 font
5
Housekeeping
• Use a Template P&P
• Table of Contents
• Number all points
– Use outline formatting
– Limit each point to 1 or
2 sentences
– Flowchart/Mind map
6
What is a Policy?
• Guideline, goal, position of the
organization
• “What” and “why” of an operation,
function, decision, or procedure
(objective)
• Address the law requirements
– Organizational
– Federal
– State
– Other
7
Responsible for Implementation
• Who rolls out and monitors
that the P&P is followed?
– Department issuing the policy
– Privacy and/or Security Officer
– May be the author
• List departments and roles,
not names
8
Applicable to
• Who is required to follow or perform
the tasks outlined in the P&P? Who
does it affect?
–
–
–
–
What departments?
Which facilities?
What systems?
Other organizations?
9
Violations of the P&P
• Include steps taken when a
violation of the P&P is
reported/noted
• Consider action plans for
violations committed by
workforce members, business
associates, business partners,
etc.
• Refer to Sanction or Disciplinary
Action policy
10
Purpose (Not Required)
• Reason for the P&P
• Why written
Scope (Not Required)
• Broad general statements
outlining to whom or in
which situations the
procedure applies
11
Key Definitions
• Include definitions for
important terms used
– Legal
– Technical
– Open for interpretation
• List definitions alphabetically
12
What is a Procedure?
• Describes specifically “how” to
accomplish the policy
• Defines “how it is done”
• Step-by-step how to
accomplish a task
• Sequential
• Recommendation:
Flowchart/Mind Map
13
Authors of the P&P
• List authors
• Include date signed
• Other considerations
– Include “Revised by”
(for future changes to
policy)
– Place on a separate
Signature page
14
Attachments to Policy
•
•
•
•
•
Forms
Checklists
Training Tools
Examples
Flowcharts
15
Reviewed By
• Individuals with authority over the P&P
– Department chair, medical director,
manager, supervisor, etc.
• Not the author
• May also be used for future
reviews of P&P (no changes
made when reviewed)
• Include date signed
• Consider placing on
Signature page
16
Applicable Standards/
Regulations
• List all standards,
regulations, laws, statutes,
etc. that apply to the P&P
17
Sources
• References used as a basis
to write the P&P
– Examples: AHIMA, NIST,
Phoenix Health Systems, etc.
– Other P&Ps
• Include the following:
– Document title
– Author
– Date published
18
Other Considerations
• Have a P&P standardizing how to
write, revise, post, and train P&Ps in
your organization
• One person/department/team
maintains all P&Ps
• P&P numbering
– 4-digit number (01-04)
• 1st two are issuing dept. #
• 2nd two are policy #
– Master Index
19
Other Considerations
• Inform all new employees of
how to access and follow
P&Ps
• Use P&Ps to train those that
need to follow them
• May need to refine
procedures at departmental
level
• Other regulation/law
requirements
20
Prior to Posting…
• Request team member and
key workforce members it
affects to review
• Verify it identifies who,
what, where, when, why, &
how
• Confirm all attachments
are addressed within the
P&P
21
Prior to Posting…
• Check formatting
• Review accuracy of page
numbering
• Confirm page numbering
is correct in Table of
Contents
• Do a spell check
22
Steps For Posting
• Post where all may access
– Intranet
– Shared drive
– Binder in central location
• Notification
– Email management/workforce
– Post on notification board(s)
23
Review Schedule
• Review annually and as
changes occur
• Determine who is
responsible to review
(ex. author)
• Post changes and notify
of changes
24
Maintain Documentation
• HIPAA: Maintain all versions
for minimum of 6 years from
last date in effect
– Hard copy or electronic
• Other regulations may
require storing for extended
periods of time
25
HIPAA P&P Writing:
Before You Start
• Locate existing, overlapping P&Ps
• Get help from departments
affected by the P&P
– High level
– Workforce
– Experts
26
Read the Regulations
• Find overlapping in the
Privacy & Security Rule and
combine the P&Ps
• Find overlapping across
implementation
specifications within each
particular rule and
combine them into one
P&P
27
HIPAA COW Security P&P Grid
• www.hipaacow.org
– Click on “HIPAA COW Documents
& Forms”
– Select “Security Documents”
– Accept the Disclaimer
– Open the “Security Rules P&P
Grid” document
28
P&P Writing Resources
• HIPAA COW: www.hipaacow.org
– Policy template
• Click on “HIPAA COW Documents &
Forms”
• Select “Security Documents”
• Accept the Disclaimer
• Open the “Security Policy Template”
document
– List of other resources
• Click on “Other HIPAA COW
Resources”
• Open “Security Policies and
Procedures” document
• AHIMA: www.ahima.org
29
System Access Policy
• 164.308a3iiB Workforce Clearance
Procedure
• 164.308a3iiC Termination
Procedures
• 164.308a4ii Isolating HC
Clearinghouse Function
• 164.308a4iiB Access Authorization
• 164.308a4iiC Access Establishment
& Modification
• 164.308a5iiD Password
Management
30
System Access Policy Continued…
• 164.310b Workstation Use
• 164.310c Workstation Security
• 164.312a2i Unique User
Identification
• 164.312a2iii Automatic Logoff
• 164.312d Person or Entity
Authentication
31