Policies and Procedures Are Required for HIPAA Compliance

A carefully constructed set of Policies and Procedures is one of the main requirements for compliance with HIPAA. If you are a “Business Associate”, you must have at least a minimum set of specific Policies and Procedures (P&Ps) in order to be HIPAA-compliant.

Policies and Procedures are intended to make the various requirements of HIPAA law understandable to the members of your workforce. Because most people will never actually read the HIPAA regulations, P&Ps deliver HIPAA’s requirements in a form that employees, volunteers, contractors, and other members of the workforce can understand. Policies and Procedures are supposed to “translate” HIPAA’s legal requirements and restrictions into plain-language, everyday guidance for your workforce.

HIPAA Policies and Procedures are Flexible and Scalable

Policies and Procedures are mandatory for all Business Associates (BAs). But since BAs come in all shapes and sizes, HIPAA allows for Policies and Procedures to be flexible and scalable, so that BAs of any size or type can create P&Ps that are appropriate for their needs.

A smaller Business Associate like an individual contract coder will require much simpler Policies and Procedures than a billing firm or collection agency. Large and small BAs must have the same minimum set of P&Ps, but the length and complexity of each Policy or Procedure may vary widely.

Your HIPAA Policies

HIPAA requires certain Policies and Procedures for Business Associates. However, HIPAA has no specific requirements as to how long or short P&Ps must be, the form or format they must have, or the language that must be in them.

Instead, HIPAA sets out certain subjects or objectives that each Policy or Procedure must address. BAs can create P&Ps that suit their own needs while still meeting those objectives. This is why there is no “one size fits all” approach to P&Ps that will suit every BAs needs. Instead, every Business Associate must customize and implement their own P&Ps within the boundaries set by HIPAA.