Element 1: Standards, Policies, and Procedures
|
|
|
What to Measure
|
How to Measure
|
HIPAA Survival Guide (HSG)
|
|
|
Access:
|
|
|
|
1.1
|
|
· Review link to employee accessible website/intranet that includes the Code of Conduct
|
Under HSG’s methodology, we view access as necessary but not sufficient; we require Workforce members to read and sign each policy; signatures can be done electronically to reduce paper workflow.
|
|
|
· Survey ‐ Can you readily access or reference policies and procedures? (Yes/No/Don't know)
|
Id.
|
|
Accessibility
|
· Survey ‐ How and where do employees actually access policies and procedures?
|
Id.
|
|
|
· Test key word search (searchable)
|
Keywords search is available from the Expresso™ Repository.
|
|
|
· Audit and interview staff to show policies
|
See above. Staff must read & sign policies.
|
|
1.2
|
Actual Access
|
Audit how many actual "hits" on policies and procedures
|
See above. Staff must read & sign policies. The “ability” to audit “policy” hits is mostly eliminated by signatures and access.
|
|
1.3
|
Accessible language for code, standards and policies
|
Flesch Kincaid measuring standard – no more than 10th grade reading level
|
Thousands of products sold; almost all containing references to the regulations; no complaints ever about reading level. Although this suggestion appears to be odd given the dense nature of the HIPAA regulations.
|
|
1.4
|
Compliance program awareness and communication
|
· Survey employees to determine the extent to which the code of conduct and other compliance communications are available to employees
|
Our Agile methodology recommends periodic self-audits to determine the effectiveness of a customer’s HIPAA Compliance Initiative (“HCI”).
|
|
· Review to ensure the standards, policies, and awareness material is updated and distributed within organization’s guidelines
|
See above. Signatures required.
|
|
1.5
|
Impaired or disabled accessibility
|
Review accessibility options. Look at methods and speak to individuals.
|
Id.
|
|
1.6
|
Policy communication
|
Communication strategy of policies
|
Id.
|
|
1.7
|
Availability of policy content
|
Conduct surveys and observation
|
See self-audits above.
|
|
|
Accountability:
|
|
|
|
1.8
|
Accountability
|
Policy Coordinator designated
|
Designated responsibility of customer Compliance Officer (Privacy or Security).
|
|
1.9
|
Ownership and accountability of policies
|
Audit process of how policies get enforced by chain of command when compliance is not the final approver. Is management taking responsibility for implementing and following policies?
|
Methodology requires that Executive Team reviews and modifies policies before said policies are distributed to the Workforce for signature.
|
|
|
1.1
|
Routine policies and procedures
|
Confirm that listed owner of each policy and procedure is the actual owner.
|
Methodology requires, as per the Rules, named Privacy Officer and Security Officer with corresponding titles and responsibilities updated in each individual’s personnel file.
|
|
|
Review/Approval Process:
|
|
|
|
1.11
|
Annual review and Board approval of Compliance Plan
|
Audit: Review of Board minutes
|
See self-audits above. Methodology requires results of self-audits to be reported to the Executive Team.
|
|
1.12
|
Compliance documentation operations manual
|
Compliance or other oversight committee to review annually to ensure it is up to date.
|
Id.
|
|
1.13
|
Maintenance of policies
|
Check last review or revision
|
Id.
|
|
1.14
|
Number of policies reviewed and is the review timely
|
Process review/audit. Use checklist to ensure all basic policy elements are in place, updated consistently and reviewed/approved by appropriate parties.
|
Id. Our methodology does not require hundreds of policies to be reviewed; rather the policies tend to be comprehensive around the each Rule and, in addition, nuanced items (e.g. social media, mobile, cloud, etc.) are also provided.
|
|
|
1.15
|
|
Checklist audit. Create list of policies, review committee and board minutes to ensure all approvals have been obtained.
|
Id. See also signatures.
|
|
Policy approvals
|
|
1.16
|
Policy review process
|
Audit process by which policies and procedures are prepared, approved, disseminated, etc.
|
Id.
|
|
1.17
|
Process for ensuring full organizational participation in policy and procedure development
|
Review documentation/minutes to verify input considered and solicited for policy and procedure development and review
|
All policies require Executive Team review and signatures by the entire Workforce.
|
|
1.18
|
Process for review and approving
|
Check for written process
|
Compliance Officer (“CO”) is responsible for ensuring that policies are maintained current as per the operational environment and/or material changes in the law. Once policies are modified then the Executive Team review and /or modifies after which Workforce signature process is invoked.
|
|
|
Quality:
|
|
|
|
1.19
|
Are policies (and procedures) as good as industry practice
|
Peer reviews
|
CO is responsible for ensuring he/she stays current with peers by participating in webinars, social media groups, etc.
|
|
1.2
|
Integrity of Process for developing and implementing policies and procedures
|
Audit policy and procedure on policy and procedures
|
See self-audits above.
|
|
|
1.21
|
Language and reading level of policies
|
Are policies written in plain language, appropriate grade reading level and written in applicable languages for organization? Policy review, Word grade level review and interviews of staff to make sure they understand.
|
Evidence is that word level is “usable” given the density of the Rules.
|
|
|
|
1.22
|
Language translation
|
Audit or process review. Are policies and the code of conduct translated into appropriate languages for organization?
|
Language translation is available through online service such as Google, BUT is not provided out-of-the-box.
|
|
|
|
1.23
|
Usefulness
|
SURVEY ‐ Do department policies and procedures assist you in doing your job effectively? (Yes/No/Don't know)
|
See self-audits.
|
|
|
|
1.24
|
Need for policies that don’t exist
|
Interview staff to determine if they need the certain policies to strengthen internal controls.
|
Id.
|
|
1.25
|
Policies and procedures
|
Request review from external experts
|
Id.
|
|
|
Assessment:
|
|
|
|
1.26
|
Assessment of all company policies
|
Check list of policies; which are compliance and which are business
|
Compliance policies are kept in the Expresso™ repository.
|
|
1.27
|
Essential compliance policies and procedures exist
|
Can staff actually articulate policies and procedures; test staff
|
See self-audits. Workforce members required to read and sign policies; Workforce members are required to take basic Privacy, Security, and Breach Notification Rule training and pass the corresponding tests with a grade of 70% or better.
|
|
1.28
|
Existence of procedure to support policy
|
Audit for procedure to support policy
|
Checklists always contains a suggested list of processes for each specific policy subject matter section.
|
|
1.29
|
|
Have focus groups of work units/departments to determine whether they understand the policies and procedures necessary to do their jobs.
|
See self-audits.
|
|
Fundamental policies and procedures in place
|
|
1.3
|
Identifiability
|
· Index of policies available and current
|
See Expresso™ repository.
|
|
· Numbered policies, not just titles
|
See last revised dates in the policies section on Last Revisions.
|
|
1.31
|
List of policies are applicable to employees
|
Supervisors to assess direct staff
|
See above policies routed and signed. See also training, including “nuanced” training like social media, mobile, cloud, etc.
|
|
1.32
|
Are those affected by policy given the opportunity to weigh in on policy when developed?
|
Focus groups and interviews of those affected by policy.
|
No. The only focus group is the Executive Team.
|
|
|
1.33
|
List of required policies
|
Create checklist to make sure minimum policies are in place and then audit against the list.
|
See above policies routed and signed. The “minimum list” covers ALL the Rules social media, mobile, cloud, sanctions, etc.
|
|
1.34
|
Effectiveness of policies
|
Effectiveness of policies based on the submission hotline calls
|
See self-audits.
|
|
1.35
|
Policies and procedures that have been identified as part of corrective action
|
Process review. Conduct annual meeting with compliance and legal to look at databases and control and prioritize review to ensure implementation and ongoing compliance with policies and procedures.
|
Id.
|
|
|
1.36
|
Policies for high risk and operational areas
|
Audit
|
Id.
|
|
1.37
|
Policies, standards and procedures are based on assessed risks
|
Risk assessment, policy exists for each risk identified in the risk assessment (coverage of a specific risk topic)
|
See our Privacy Rule and Security Rule Checklists; see also our Breach Notification Framework.
|
|
1.38
|
Policy inventory to ensure no overlap and contradiction of policies
|
Create inventory and analyze inventory. Analyze and review past efforts. Look at various departments that might have overlapping policies.
|
See self-audits
|
|
1.39
|
Policy review following investigation/issue
|
Top policies implicated in an investigation are reviewed to determine if policy ambiguous, complex, fails to adequately safeguard issues. Validate through audit.
|
Id.
|
|
|
1.4
|
Routine policies and procedures are addressed and filter down.
|
Review department and committee agendas to ensure policies are addressed
|
See above policies routed and signed.
|
|
|
|
Code of Conduct:
|
|
|
|
1.41
|
Code of Conduct
|
Audit: Review dates, board approvals, distribution processes, attestations, survey employees for understanding, conduct focus groups.
|
See self-audits.
|
|
1.42
|
Compliance program awareness and communication
|
Survey employees to determine the extent to which they know the content of the Standards of Conduct (SOC) and how to access it.
|
Id.
|
|
|
1.43
|
Integrate mission, vision, values, and ethical principles with code of conduct
|
Compare code with mission and vision statements to see if it includes elements/statements. Check to see if code is accessible to employees
|
No. For most of our customers this kind “organization speak” is beyond overkill.
|
|
1.44
|
Maintenance of code of conduct
|
Is code written, posted for employees, documented frequency of reviews, and survey/test employees on ability to locate it
|
Code of conduct is reflected in policies.
|
|
|
1.45
|
Distribution
|
Documentation of Code of Conduct distribution tracking and results over past two years for all employees, employed physicians, allied health professionals, independent (contracted) physicians, volunteers and vendors/contractor/consultants in the organization
|
See above policies routed and signed.
|
|
|
1.46
|
Orientation
|
Audit to ensure all employees receive orientation to the SOC and compliance policies within 30 days of hire.
|
Id. See also training provided to all Workforce members.
|
|
|
1.47
|
Staff understanding of code of conduct and policies and procedures
|
· Review test scores after training.
|
Workforce members must make a passing grade of 70% or better for each exam taken.
|
|
· Conduct interviews.
|
See self-audits.
|
|
|
Updates:
|
|
|
|
1.48
|
Compliance program communication of rule changes
|
Review periodically and at rule changes – Audit to ensure there is adequate communication to employees, including changes in policy/procedure.
|
Id.
|
|
1.49
|
New and updated policy distribution and education of appropriate staff
|
Process review ‐ Does organization have formal process to make workforce aware of new policies or changes in policies?
|
Id.
|
|
1.5
|
Practices implemented after new policy
|
Audit practices and review committee minutes and other documentation to determine how new policies are implemented.
|
Id. Updates to Checklists.
|
|
|
|
Understanding:
|
|
|
|
1.51
|
Understanding of Policies/Procedures
|
· Conduct surveys and/or focus groups on specific policies
|
Id.
|
|
1.52
|
Orientation
|
· Audit adherence to policy/procedure
|
Id.
|
|
Ensure employees are provided instruction by knowledgeable personnel for questions/clarity
|
See training provided to all Workforce members.
|
|
1.53
|
Policies reflect practice
|
Use policies as audit tool and then interview, observe and conduct document review to ensure policies are being followed.
|
See self-audits.
|
|
|
1.54
|
Questions asked by employees
|
System in place to track employee questions and concerns to ensure consistent guidance. Track departments where questions come from to deploy additional education where necessary.
|
Id.
|
|
|
1.55
|
Understandable to board and c‐suite
|
Test board and c‐suite on location and understanding
|
Executive Team must review/modify/approve policies.
|
|
1.56
|
Understandable to employees
|
· Reading comprehension test
|
See self-audits.
|
|
· Situational tests
|
Id.
|
|
· Test of location
|
Id.
|
|
|
Compliance Plan:
|
|
|
|
1.57
|
Maintain compliance plan and program
|
Review written plan or written schedule of compliance activities
|
See Scorecards that track each requirement of the Rules plus remediations notes.
|
|
1.58
|
Maintain compliance department operations manual
|
· Audit existence of written manual, handbook, or reference guide
|
See Checklists, Frameworks, etc. There is no one manual; there are a number of manuals depending on the subject matter.
|
|
· Test whether the manual is current
|
See self-audits.
|
|
|
Confidentiality Statements:
|
|
|
|
1.59
|
Verify maintenance of appropriate confidentiality policies
|
· Audit procedure for obtaining confidentiality statements from employees
|
See above policies routed and signed.
|
|
· Audit employee files for signed confidentiality statements from employees
|
Id.
|
|
|
Enforcement:
|
|
|
|
1.6
|
Compliance with policies
|
Conduct interviews, observation.
|
See self-audits.
|
|
1.61
|
Policy violations
|
Audit policy and procedures to make sure practice consistent with policy.
|
Id. See also Sanction Policy.
|
|
1.62
|
Adherence to policies and procedures for cases involving patient harm and reporting to regulatory agency
|
Review policies and procedures and cases involving patient harm and validate proper reporting to regulatory agency
|
|
|
|