What are the Differences Between "Policies" and "Procedures"?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article explains the concepts of "policies" and "procedures."  Although the HIPAA Rules require implementation of policies and procedures, the rules do not explicitly define these terms. Fortunately, guidance from the Department of Health and Human Services provide some useful definitions, which are covered in this article. 

What are Policies?

According to guidance from the Department of Health and Human Services, "policies" are documents that define an organization's approach to something. For example, most business policies establish measurable objectives and expectations for the workforce, assign responsibility for decision-making, and define enforcement and consequences for violations.

Policy: "Customers may return merchandise to our Returns Department within 30 days for a full refund to ensure satisfaction. Questions about whether a particular item qualifies for a refund should be directed to the Returns Department Director. Failure to abide by the terms of the policy may subject an employee to discipline."

Here, a store is informing its workforce what to expect from customers - that they may return merchandise if they are dissatisfied. The store is also setting a measurable objective - customers have 30 days to return merchandise to receive their money back. The responsibility for determination of what item ultimately qualifies for a refund is vested in the Returns Department Director, who enforces the policy in instances where an employee has questions about the policy's application to a particular piece of merchandise. Employees who fail to observe the policy may be subject to discipline.

What are Procedures?

Procedure: While a policy describes an organization's approach to something, procedures describe how the organization carries out the approach, setting forth explicit, step-by-step instructions that implement the policy.

So, a procedure for the above-quoted policy can read something like this:

"When a customer returns an item add requests a refund, the Returns Department Employee must respond to the request by:

1) Asking the customer for their receipt and ID
2) Inspecting the item for damage.
3) Entering the return code in our Point-of-Sale
4) Processing the refund to the original payment method
5) Placing the item in the return bin
6) Giving the customer a copy of the receipt.

Employees who are unsure whether an item qualifies for a refund should:

1) Ask the Returns Department Director or their designee as soon as possible.
2) Provide the Returns Department Director or their designee with all pertinent information about the refund request.
3) Obtain an answer from the Director or their designee
4) Process the refund or explain to the customer that the refund cannot be processed, along with the reason why. If a customer asks to speak to a manager, the employee should notify the Director or designee, who can provide an explanation.

Employees must abide by the terms of this refund policy. If an employee does not abide by the terms of the policy, the employee may receive a verbal or written warning."

What is a HIPAA Example of "Policies and Procedures"?

The HIPAA Privacy Rule at 45 CFR 164.528 gives patients the right to request an accounting of disclosures of their PHI. Click here to view a Knowledge Base article that explains what this right consists of. 

The policy language for a "Right to Request An Accounting of Disclosures of PHI" could read:

"Patients have the right under HIPAA Privacy Rule 45 CFR § 164.528 to request an accounting of disclosures of their protected health information (PHI) made by our organization. Upon patient request, we provide patients with a written accounting of certain disclosures made during the six years prior to their request, or for a shorter period if requested. This policy fosters transparency in how we share and disclose patient information, and respects the rights of patients to understand how we have used their health information."

The procedures for this policy would address how to carry out the policy requirements of providing the written accounting. Sample procedure language is provided below.

Step 1: Receiving the Request

• Requests may be accepted in person, in writing, or by phone. 
• If a verbal request is received, provide the patient with a written form for their signature
• Document the date that the request was received
• Verify the patient's identity using two forms of identification
• For requests made by a personal representative, verify the authorization of the representative and the representative's relationship to the patient.

Step 2: Clarify Request Parameters

• Confirm the time period requested (the maximum period is 6 years from the request date)
• Explain that the first accounting in any 12-month period is free
• Inform the patient of the fee amount for each additional request made within the 12-month period
• Document the specific date range and any limitations requested by the patient

Additional steps can include procedural details for:

1. Identifying what specific disclosures to include in the accounting, making sure to include requested disclosures that the rule requires an accounting for, and excluding those for which the rule does not require an accounting for.
2. Compiling reportable disclosures and the details of these disclosures.
3. Preparing the written accounting of disclosures.
4. Submitting the accounting to the Privacy Officer, who reviews it for completeness.
5. Delivering the accounting to the patient
6. Processing fees for additional requests made within a 12-month period
7. Documenting and maintaining records of requests and accountings.
8. Following up with the patient if the patient has questions about the accounting they received.