HIPAA Policies and ProceduresHIPAA policies and procedures are an essential part of implementing an effective compliance program in your behavioral health practice.

Federal regulation requires that HIPAA Privacy and Security standards be addressed by a series of policies and procedures that work throughout your entire practice. These policies and procedures form the basis of your compliance program–all activities involving the use, storage, and distribution of protected health information (PHI) are governed by these regulatory standards.

There are many different resources available to covered entities (health care providers, health plans, and clearinghouses) to create policies and procedures for their organizations. Implementing good policies and procedures is not as simple as purchasing a binder, though. It’s important to keep in mind the HIPAA regulatory requirements that must be met in order to ensure your policies and procedures are compliant with the law.

Below, we discuss the major requirements that behavioral health specialists should keep in mind when deciding on HIPAA policies that they implement in their practice.

  • Policies and Procedures must be reviewed on an ongoing basis. If your practice undergoes a major change, your policies and procedures must be updated to reflect this chance. An example would be if you update workstations or change physical locations. Policies and procedures must accurately reflect the current state of your business, including privacy and security requirements that may change over time.
  • Policies and Procedures must be tailored to your practice. Stock binders of policies and procedures that are not customized to the way you do business can be dangerous in the event of a data breach or HIPAA investigation. If your policies and procedures do not match up with the particulars of your practice, you could be at risk of a fine in the event of a HIPAA audit.
  • Staff must be trained to follow all Policies and Procedures. Regular employee training sessions must be held so that staff members are aware of the policies and procedures of your practice. In addition to this training, staff members must attest with documentation that they have read and reviewed these HIPAA policies and procedures. In the event of a HIPAA breach, you must be able to prove that your employees were trained on the particulars of these policies and procedures in order to avoid monetary penalties.