Needless to say, our country is in the middle of a very interesting time. Historians and sociologists will be busy for a decade studying the impact and reaction of COVID-19, not just in health care but in our society as a whole. It is times like these that reinforce the need for solid, well-drafted policies. When times are good and operations are humming along as they should, there really isn’t much of a need for policy guidance; but when times become turbulent, an organization’s policies provide the guidance needed to ensure consistent and compliant operations continue.
Let’s face it, many people are scared right now. Whether it be media hype or healthy respect for something that no one has ever been through before, fear is leading people to behave in ways that are not normal. Hoarding of food and toilet paper, shaming of those who may be responding to this situation differently than the person doing the shaming feels they should, or even refusing to come to work out of fear of contracting the virus. Our country, and all health care providers, are experiencing things they have never experienced before. When people act abnormally, or even irrationally, they often fail to follow even basic protocols. This is where good policies come in.
The purpose of a compliance or HIPAA policy is to define expected behavior irrespective of the situation. Regardless of what is going on in the world, protected health information is still protected; the minimum necessary requirement still applies, and service documentation must still be properly completed. One of the purposes of policies is to set forth the rules and expectations. We as humans perform best when we know what is expected of us and when everyone knows the rules of the game. Without rules, the game quickly gets out of whack.
The OCR has taken a position of discretionary enforcement on some aspects of HIPAA such as telehealth during the COVID-19 crisis but they have also repeatedly stated providers must make a good faith effort to comply with all aspects of the Privacy, Security and Breach Notification Rules. The crisis does not give employees or organizations permission to ignore the rules, rather, now is the time to take a moment, (even though no provider feels they have a spare moment) to refer back to the policy to ensure the actions and behaviors being exhibited comply with what is required. Policies are like guard rails on a highway; when the road is straight there is no need for guard rails but when there is a curve, the guard rails keep us from going off the cliff. We are in a time full of curves and it is now that our policies are most important.