Policies and Procedures – Canned or Custom?

When it comes to HIPAA compliance, having policies and procedures in place is a must. Covered entities and business associates must implement policies and procedures to protect the confidentiality, integrity, and availability of protected health information (PHI) and comply with the HIPAA Privacy, Security, and Breach Notification Rules. But should an organization create custom policies and procedures or use “canned” policies and procedures that are readily available?

Creating Custom Policies and Procedures

Custom policies and procedures are tailored to an organization’s unique needs and circumstances. Creating custom policies and procedures involves conducting a thorough risk analysis to identify vulnerabilities and developing policies and procedures that address those vulnerabilities. Custom policies and procedures can also incorporate best practices specific to an organization’s industry or business model.

Pros:

1. Tailored to the Organization: Custom policies and procedures are designed to meet an organization’s specific needs, so they are more likely to be relevant and effective.
2. Incorporate Best Practices: Custom policies and procedures can incorporate best practices specific to an organization’s industry or business model.
3. Greater Flexibility: Custom policies and procedures can be updated and revised as needed to keep pace with changes in the organization or in regulations.

Cons:

1. Time-Consuming: Creating custom policies and procedures can be time-consuming and resource-intensive, requiring significant input from staff and management.
2. Costly: Developing custom policies and procedures can be costly, particularly for smaller organizations.

Using “Canned” Policies and Procedures

“Canned” policies and procedures are pre-packaged templates or documents that can be customized to an organization’s needs. They are often available from consultants or other third-party vendors who specialize in HIPAA compliance.

Pros:

1. Less Time-Consuming: Using “canned” policies and procedures can save time, as they require less input from staff and management.
2. More Cost-Effective: “Canned” policies and procedures are often less expensive than custom policies and procedures.
3. Easy to Implement: “Canned” policies and procedures can be implemented quickly, as they are readily available and require minimal customization.

Cons:

1. May Not Be Tailored to the Organization: “Canned” policies and procedures may not be tailored to an organization’s unique needs, potentially leaving vulnerabilities unaddressed.
2. May Not Incorporate Best Practices: “Canned” policies and procedures may not incorporate best practices specific to an organization’s industry or business model.
3. May Not Be Up-to-Date: “Canned” policies and procedures may not reflect the most current regulations or best practices.

Be wary of a canned solution. Violations happen. Fines happen. One such instance occurred in 2017 when the University of Massachusetts Amherst (UMass) settled a HIPAA violation case for $650,000 with the U.S. Department of Health and Human Services (HHS).

In this case, the violation occurred due to UMass’s use of a “canned” policy and procedure for protecting patient data. The university had adopted a generic risk analysis and risk management plan template that did not reflect the specific risks and vulnerabilities of its own operations. As a result, the university failed to implement appropriate safeguards for the protection of electronic protected health information (ePHI) on its network.

Specifically, UMass experienced a data breach in 2013 that compromised the ePHI of 1,670 individuals. An investigation by the HHS Office for Civil Rights (OCR) found that UMass had failed to conduct an accurate and thorough risk analysis of the ePHI stored on its network, and had failed to implement appropriate security measures to reduce the risks and vulnerabilities identified in the risk analysis. The OCR also found that UMass had failed to implement adequate policies and procedures for information system activity review, access controls, and audit controls.

The use of a “canned” policy and procedure template may have contributed to UMass’s failure to conduct an accurate and thorough risk analysis, and to implement appropriate security measures for the protection of ePHI. This case underscores the importance of tailoring policies and procedures to the specific needs and risks of an organization, rather than relying on generic templates. It also highlights the need for regular risk assessments, the implementation of appropriate safeguards, and the enforcement of policies and procedures to ensure compliance with HIPAA regulations.

Whether an organization should create custom policies and procedures or use “canned” policies and procedures depends on its unique needs and circumstances. While custom policies and procedures offer greater flexibility and can incorporate best practices specific to an organization’s industry or business model, they can also be time-consuming and costly. “Canned” policies and procedures can be a good temporary solution in order to get something going quickly if no policies or procedures are in place. They are less time-consuming and more cost-effective, but will have to evolve quickly in order to fit the company. They are not tailored to an organization’s unique needs or incorporate the latest best practices. Ultimately, the decision to use custom policies and procedures or “canned” policies and procedures should be based on a careful evaluation of an organization’s resources and goals.