There is often a misconception that regulations, policies, procedures, standards, and guidelines are interchangeable or synonymous with each other. This could not be further from the truth. To understand the differences, these terms need to be fully explained as they relate to compliance and defined as they relate to HIPAA and HITRUST CSF.

HIPAA is legislation composed of regulations that are legally mandated. These regulations must be implemented and compliance must be met or there could be severe consequences. Regulations form the basis for a covered entity’s policies. Policies are the intentions of the organization’s management to comply with the regulations.

Policies are documented, highlevel requirements that are approved by management to provide direction for employees in the process of complying with the stated objectives. Policies set the standards that help produce the procedures that will be followed to carry out the policies’ objectives. Standards attempt to tie the procedures with the associated policies. Procedures are more detailed than policies and normally provide stepby-step instructions for complying with the policy.

Typically, a covered entity has one policy statement and several procedures that explain what should be done to carry out the policy. Once procedures have been developed, guidelines are usually established. Guidelines are common practices that are followed by employees of a covered entity and are usually the “reallife” practices that are established by a given procedure.

Each policy contains:
• Purpose
• Policy statement
• Background/definitions
• Standards
• Implementation procedures
• Reporting/documentation

If any client wants to view any of our policies we would be happy to provide you with a copy.