HIPAA requirements inform you as to what should be done, but not how to do it.

Policies versus Procedures

A policy is the clear, concise statement of the parameters by which the organization conducts business. Policies are what an organization intends to do in order to meet its regulatory requirements.

A procedure is the customized process of the organization to make sure the policy is taken care of. This is through a series of steps that would be specific to the organization, and how the task (procedure) will be completed to achieve results.

HHS recognizes that Covered Entities range from the smallest provider to the largest, multi-state health plan. Therefore, the HIPAA Security Rule is flexible and scalable to allow Covered Entities (CE) and their Business Associates (BA) to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular CE or BA will depend on the nature of the business, as well as the size and resources.

Security and compliance are first and foremost in the management of our clients' systems. After conducting thousands of SRAs, common vulnerabilities began to emerge. We launched HIPAA Tip Tuesday to make clients aware of what actions they can take to address these vulnerabilities.

Have a great week!