Begin with code of conduct, policies, and procedures

CLICK to Email
CLICK for Print Version

Begin with code of conduct, policies, and procedures

Healthcare organizations face increasingly complex privacy and security issues as they cope with new technology, but many organizations are still struggling with the basics of establishing a compliance program.

A natural place to begin is a code of conduct, and policies and procedures, says Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Ariz.

Compliance officers in small organizations may be responsible for compliance with all regulations. In larger organizations, one or more individuals may be specifically responsible for HIPAA compliance. Regardless of organization structure, basic principles apply.


Write a code of conduct

A code of conduct, also known as standards of conduct, states that an organization will meet federal and state rules and regulations, including HIPAA, Ruelas says. It should clearly articulate the following:

  • Expectations. Define the behavior expected from all workforce members (i.e., employees, contracted vendors, and volunteers). Clearly state that you expect workforce members to adhere to the rules and regulations that govern an organization. Leadership should establish and ensure that expectations flow through an entire organization. Everyone must comply with the code of conduct.
  • Applicability. General statements are effective. For example, to whom does it apply? Everyone. When does it apply? Always. It should be applicable whenever staff perform work-related activities or represent the organization. Workforce members must know how the code of conduct affects what they do.
  • Effectiveness. A code of conduct must be effective and current, Ruelas says. Don't write a code of conduct and never expect to change it. Review and revise it to remain current, he says. Involve individuals affected by revisions in the process. An effective code of conduct requires that workforce members understand that it has the underlying support of those in authority.


Develop policies and procedures

Policies and procedures guide organizations with respect to ensuring compliance with regulations. Communicate their existence and location. (­Refer to the October 2011 Briefings on HIPAA for a checklist of basic policies necessary for HIPAA compliance.)

The following guidelines can facilitate creation of effective policies and procedures:

  • Awareness. Workforce members must be aware of policies and procedures. Many organizations have good programs for explaining regulations to new workforce members, but ongoing awareness is important. ­Reintroduce information during meetings and post reminders in newsletters or near elevators.
  • Management. Assign responsibility to ensure timely updating. The designated individual can move policies and procedures through a review process. This is a significant, chronic challenge, Ruelas says. Organizations with privacy and/or security officers can delegate these individuals. Seek input about revisions from those affected by specific policies and procedures.
  • Accessibility. Make policies and procedures accessible. Be sure staff members can find them. Store them in a binder in each department, shared computer system folder, or cloud-based system.


Policies and procedures should answer questions but might not address every issue or answer every question. Designate individuals, such as on-call administrators or supervisors, to respond to questions. The privacy or security officer could respond to HIPAA questions.