The words "policies" and "procedure(s)" are not specifically defined in HIPAA. However, in the publication "HIPAA Security Series" (2007, HHS.gov), policies are described as "an organization's approach," and procedures as "how the organization carries out that approach."
"Policies and procedures and documentation requirements" (45 CFR § 164.316) of the Security Standards state that Covered Entities must:
"Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach]. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart."
Sections 164.306(b)(2)(i), (ii), (iii), and (iv) are specifically mentioned in the text. These sections refer to the Flexibility of Approach of the Security Standards General Rules. It indicates that Covered Entities (CE) and Business Associates (BA) must consider important factors when deciding how to implement security measures.
The Flexibility of Approach is specified as follows:
|164.306 (b)(2)(i)||The size, complexity, and capabilities of the covered entity or business associate.|
|164.306 (b)(2)(ii)||The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities.|
|164.306 (b)(2)(iii)||The costs of security measures.|
|164.306 (b)(2)(iv)||The probability and criticality of potential risks to electronic protected health information.|
To reiterate, these factors, are not to be regarded as an excuse to forego and not follow the standards. The Flexibility of Approach to HIPAA implementation has been integrated with the provisions so that organizations can adopt and apply reasonable and appropriate standards for their specific organization.
The Flexibility of Approach will particularly come into play when creating policies and procedures based on several Required and Addressable HIPAA Specifications. With more influence towards Adresseable Specifications.
Required Specifications, as the name implies, must be strictly implemented as described in HIPAA standards. On the other hand, with Adresseable Specifications, HIPAA directs Covered Entities (CE) and Business Associates (BA) to either of the following; (a) implement the addressable implementation specifications; (b) implement one or more alternative security measures to accomplish the same purpose; [or] (c) not implement either an addressable implementation specification or an alternative1.
As mentioned above on the HIPAA directives as it pertains to Addreseeable Specifications, organizations have implied latitude in order to adopt HIPAA according to its needs and capabilities.
Lastly, when it comes to Flexibility of Approach, Addressable Specifications, and formulating HIPAA policies and procedures, whether organizations’ decide on implementing alternative measure(s) or choosing not to implement at all, responsibilities do not end there. HIPAA requires to document (in writing) the decisions which were taken, and the basis of said decision.