What are the Differences Between "Policies" and "Procedures"?

Modified on Mon, 11 Dec, 2023 at 12:08 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.



This article covers the difference between the concepts of "policies" vs. "policies and procedures."

“Procedures”:
Some HIPAA regulatory language specifically requires development or implementation of “procedures,” not “policies and procedures.”

Take, for example, the Security Rule Provision, at 45 CFR 164.308(a)(5)(II)(D). It states:

Password management (Addressable).
 Procedures for creating, changing, and safeguarding passwords.”  (As in, “Implement procedures for creating, changing, and safeguarding passwords.”).   The question for this control would be,  “Do you have procedures for creating, changing, and safeguarding passwords?” The remediation for the control would be, ”You must implement and operationalize procedures for creating, changing, and safeguarding strong passwords, and train employees on these procedures.”

The language, “implement procedures,” means:

(1) Write the procedures.
(2) “Bring them to life” (operationalize them) by actually applying them to the workforce and to an organization’s operations.

“Policies and Procedures”:
A regulation may use the phrase“policies and procedures.”

Example: 45 CFR 164.310(b) states, “
Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”

A policy is a statement by an organization that it meets or will meet the requirements of a particular regulation.

Example: “It is the policy of the organization to develop and implement appropriate workstation use measures. Appropriate workstation use measures include measures that specify the proper functions to be performed by a workstation, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”

An organization must then develop a series of measures that explain HOW the organization proceeds to “make good” on the policy. These measures are procedures. procedures. (An analogy: I can have a policy “to drive to my grandmother’s house every Monday to visit her in the evening.” How do I make sure that I make the visit? The procedures would cover the time I leave my own home for the visit, the time by which I am expected to arrive, and the route I am to take. Additional procedures might include cover unusual circumstances, e.g., “In the event it is raining when I leave, I will leave an extra half hour early,” or activities that must be undertaken to make sure I get to the house on time (e.g. “Make sure the car has enough fuel,” “Read the traffic report,” “Monitor the traffic with a GPS device.”).

The following language is procedure language for the policy obligations requiring “the proper functions to be performed,” “the manner in which those functions are to be performed,” and “the physical attributes of the surroundings of a specific workstation or class of workstation that can access protected health information.”

Organization will instruct employees how to adequately shield observable ePHI from unauthorized disclosure and unauthorized Access on computer screens.

  • Organization will train employees as to where to place and position computers to only allow viewing by authorized individuals. Once trained,  the  workforce shall make every effort to ensure that ePHI and any other confidential information on computer screens is not visible to unauthorized persons. An example of proper placement and positioning: If the receptionist’s screen is visible from the patient exit area, workforce members will either put a screen cover on the monitor or move the desk to minimize incidental viewing of PHI.  

  • Workforce members working in facilities that are not part of Organization will maintain awareness of their surroundings to ensure that no one can incidentally view ePHI, and that no ePHI is left unattended. Workforce members who travel to different locations during the workday to collect or to transmit ePHI, may  not leave ePHI unlocked or visible in their vehicles. Devices containing ePHI should be locked and stored out of sight (such as in the trunk).  In addition, these workforce members may not leave any ePHI in client facilities/homes.

  • Organization will utilize session lock for workstations. A session will lock after a maximum of 15 minutes of inactivity (best practice: 5 minutes). Session lock blocks further Access until the workforce member logs back in using the identification and authentication process.

  • Members of the workforce may not store ePHI on non-approved devices or equipment. In smaller or simple environments, this can mean prohibiting the use of any devices that are not included on the Device Audit. In order to ensure that ePHI is not stored on non-approved devices or equipment, Organization might implement zero trust or network Access control solutions.

  • Members of the workforce may not copy or transmit ePHI onto non-approved devices or equipment. In smaller/simpler environments, this can be managed through policies, procedures, and training. In higher-risk environments, data classification and control solutions may be implemented to actually prevent the transfer of data to unapproved locations. Example: Organization uses Microsoft, but a receptionist prefers using Dropbox. In such a circumstance, Organization may not allow the receptionist to upload ePHI to Dropbox, unless Dropbox is Organization’s business associate, with a business associate agreement on file.

  • Organization will require that remote Access to ePHI by workforce members who work from home or other non-office sites, be through secure channels only. This secure channel requirement applies to workforce members who telecommute, to workforce members who are traveling, and when workforce members are at locations other than the facility. Organization, to ensure Access is through secure channels, may require the use of VPN for all remote workforce members, and may implement a Remote Workforce Member Policy.  

  • Members of the workforce may not store unencrypted ePHI on portable electronic devices, including laptops."




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article