Drafting Policies

Workplace policies often reinforce and clarify standard operating procedure in a workplace. Well written policies help employers manage staff more effectively by clearly defining acceptable and unacceptable behaviour in the workplace, and set out the implications of not complying with those policies.

A workplace policy consists of a statement of purpose and one or more broad guidelines on action to be taken to achieve that purpose. The statement of purpose should be written in simple terms, free of jargon. The length of the policy may vary depending on the issue it addresses.

A policy may allow discretion in its implementation and the basis of that discretion should be stated as part of the policy. A policy may also be required where there is a diversity of interests and preferences, which could result in vague and conflicting objectives among those who are directly involved.

^{(NSW Government, n.d.)}

Policy contents

Organisational policies will vary depending on topic matter and purpose, but should be comprehensive, and should generally contain the following sections:

1. Rationale or purpose statement: Reason for issuing the policy and the desired effect or outcome.
2. Scope or coverage statement: State who is covered and affected by the policy, and who may be exempt.
3. Date: State when the policy comes into force.
4. Definitions: Include clear and unambiguous definitions for terms and concepts in the document.
5. Responsibilities: State who is responsible for carrying out individual policy statements.
6. Policy statement/s: Specific regulations, requirements or modifications to organisational behaviour.
7. Procedures: Policies and procedures may be separate documents, however if you are drafting an operational policy, it should detail set procedures to be followed.
8. Date of review: Specify date set for review and frequency of reviews.

Organisational policy development: key considerations

Best practice approaches to developing and implementing policies include:

• Accessibility: Ensuring policies are made widely available and in accessible formats.
• Clarity: Ensuring policies are written in a clear, concise manner using plain English.
• Accountability: Policies and procedures should set out who is accountable for implementing the procedures, and also accountability for updating/maintaining the currency of the policy.

^{(BNG NGO Services Online, 2022)}

Recruitment Policy

Policy

{Business Name} recognises a robust and professional approach to recruitment and selection helps us to attract and appoint individuals with the necessary skills and attributes to fulfil our aims and support our business goals.

All appointments should be made on the Principle of Merit, compliance with all relevant Federal and State Legislation and adherence to this policy and related processes.

Our business recruits people via the following methods:

• Internal
• External
• Employee Referred

^{(2019, p. 23)}

My Health Record System Policy

1. Background and rationale

To govern the use of the My Health Record system, the My Health Record system Rule states that in order to participate in the My Health Record system, your organisation needs a written policy in place to address access and security issues relating to the use of the system.

2. Purpose

To ensure our practice conforms with the requirements of the My Health Record Act by addressing each of the requirements specified therein.

3. Scope of Policy

The policy extends to all AHPRA registered healthcare practitioners working within the practice and administrative staff who have responsibility for maintaining user access to the My Health Record System on behalf of the practice.

4. Description

All healthcare practitioners within the practice actively use My Health Record system to access and upload patient health information as required in the provision of healthcare. Examples of health information that can be accessed and uploaded are allergies, current medications, investigation reports, diagnosis and patient health summaries.

^{(Allied Health Professions Australia [AHPA], 2019, p. 10)}

Reading G

This reading is the suggested workplace discrimination and harassment policy suggested by the Australian Human Rights Commissions (AHRC) and guiding information. Note the definitions and details provided, such as links to legislation, to help staff gain a thorough understanding of the issues the policy is designed to address.

  1. Practice procedure
5.1 Managing user accounts:

• An up to date register is maintained, including the names and positions of staff who are authorised to access the My Health Record system
• Healthcare provider software controls ensure access to the My Health Record system is limited to those staff whose duties require them to access the system. Any person involved in an individual's healthcare who is authorised by the healthcare organisation can access a My Health Record.
• Each staff member is provided with a unique user account with individual login details and these details should not be shared with others.
• Staff passwords are regularly reviewed, changed and sufficiently complex i.e. a combination of more than 13 letters, numbers and symbols
• Users are required to deactivate screensavers by entering their username and password or other suitable method of user authentication.
• A user account is immediately suspended or deactivated when a user leaves the organisation, has the security of their account compromised or whose duties no longer require them to access the My Health Record system
• A user account is inactivated/deleted after the departure of the staff member as part of the organisation's off-boarding process
• Where access to the My Health Record National Provider Portal access is required, the organisation maintains a list of up-to-date authorised providers and communicates this with the Australian Digital Health Agency (the System Operator).

5.2 Identification of staff:

• Clinical software is used to assign and record unique internal staff member identification codes, including a Healthcare Provider Identifier-Individual (HPI-I), when applicable.
• The unique identification code, or the provider's HPI-I, is recorded by the clinical software for each instance of My Health Record system access.
• HPOS / PRODA is used to maintain a list of HPI-I numbers for each current staff member requiring access to My Health Record.

5.3 Staff training:

• All staff requiring My Health Record system access undergo training before accessing the system.
• Training is provided and outlines how to use the My Health Record system accurately and responsibly, the legal obligations for organisation and individuals using the system, and the consequences of breaching these obligations.
• Training is provided to staff on a regular and ongoing basis to ensure changes are communicated and understood by all practice team members
• A register of staff who have attended training is maintained.
• Staff that are not eligible to access the My Health Record understand their obligations in relation to privacy and security of patient information.

5.4 Destroying My Health Record document codes:

• Staff provided with My Health Record security codes (by their patients) to access restricted records and documents within the My Health Record system must not record these within the clinical desktop software system or in any other electronic format.
• If codes are recorded on paper, these documents must be destroyed immediately following the consultation / when no longer required by placing them in locked containers that are removed and shredded.

5.5 Handling of privacy breaches and complaints:

• The organisation has a reporting procedure to allow staff to inform management regarding any suspected security or privacy issues or breaches of the My Health Record system.
• An incident register/log is kept of any suspected breaches, including details of the date and time of the breach, the user account that was involved and which patient's information was accessed, if known.
• A process is in place for the Responsible Officer (RO) or Organisation Maintenance Officer (OMO) to report a breach to the System Operator (the Australian Digital Health Agency).
• If a patient raises an issue in relation to unauthorised access to their My Health Record, the organisation has a complaints management process to take steps to investigate the issue.

5.6 Risk assessments:

• The organisation undertakes periodic privacy and security risk assessments of staff use of the My Health Record system and the organisation's ICT systems generally, and implements improvements as required.
• All risk assessments are documented appropriately.

^{(2019, pp. 10-12)}

Case Study

As she prepares to draft the new secure messaging policy, Monia searches for existing policies or templates and finds one provided by AHPA. It’s background and purpose seem to align with the aims of introducing secure messaging in her practice, and the scope and description are similarly aligned with her intentions for her new policy:

1. Background and rationale

Secure electronic messaging significantly lessens the chance of clinical information being accessed and read by anyone other than the nominated addressee. While electronic transmission carries an inherent risk of inadvertent wider broadcast of information, it also offers the opportunity to protect information more efficiently through higher security standards, encryption, audit trails and point to point transmission of data.

2. Purpose

To ensure that our practice utilises standards-compliant secure messaging systems that have the capability to both securely send and transmit clinical messages to and from other healthcare providers. (p. 8)

3. Scope of policy

All messages sent and received that contain clinical information. All health practitioners working within the practice or their nominated representative.

4. Description

Secure Messaging Delivery System – [Insert name of secure messaging software]

All healthcare practitioners within the practice actively use secure messaging (within the clinical software where available) to send, receive and act upon patient clinical documentation/information. Examples of clinical information are referrals to other practitioners, allied health and specialists. (2019, p. 8)

When Monia reviews the procedure, however, she realises that the policy she develops will need to have significantly more information that the template provides:

5. Practice procedure

Our practice:

• sends and receives correspondence and reports to and from our clinical desktop system to other healthcare providers through the use of conformant secure messaging software
• supports all healthcare providers in our practice to actively use secure messaging software to send and receive patient documentation, where feasible
• adheres to the use of compliant software to ensure that message contents are encrypted for the entire transmission process using appropriate digital certificates
• has verified that the installed software for secure messaging delivery has been configured in accordance with commissioning requirements
• does not support or condone the use of insecure electronic methods of transmission for communications containing identifiable clinical information (e.g. standard email)
• encourages a sustained increase in the use of standards-compliant secure messaging systems
• where possible uses a National Authentication Service for Health (NASH) Public Key Infrastructure (PKI) organisation certificate to facilitate sending and receipt of documents.
• provides practice-based education and skills-based training to all healthcare providers and staff to ensure compliance with the policy and competency in the use of the technology

6. Related resources

Secure messaging | Australian Digital Health Agency

My Health Record conformant clinical software products | Australian Digital Health Agency (Adapted from AHPA, 2019, pp. 8-9)

Many of her staff, for example, will not know what some of the terms mean. She also considers the need for the responsibilities of particular roles, including her own, in making sure that the policy is adhered to and providing the necessary resources. Monia decides that she will add a ‘Definitions’ section and expand the basic procedure so cover:

• The general responsibilities of workers and managers at the practice.
• The specific responsibilities of management, including ensuring the appropriate processes in installing and updating the secure messaging system and oversight of its use.
• A procedure for the senior member of every team to monitor the use of communications systems and compliance with the policy, including identifying and meeting staff training needs.
• A procedure for client-related communication with a practitioner or organisation not using a compatible secure messaging system.

Self-Reflection

Think about the different types of policies you will need to develop as a practice manager.

What are the essential points that you think are required regardless of the format used?

Have you seen one or two formats that you think are particularly effective? What do you like about them?

Do you think the same kind of format and level of detail will be needed for all of them?

Reading H

This reading gives you an introduction to, and simple steps for starting to develop plain language resources. These principles are not only excellent for your internal organisational communication but will help you develop resources and communications with external stakeholders, such as clients and community members. Plain language documents are easily understandable by most adults and many younger people. There may still be situations in which you need to have documents translated or adapted, or to work with interpreters, so that people who are unable to thoroughly comprehend the documents themselves are supported in doing this. You can find more guidance on writing accessible, inclusive documents in the Australian Government’s Style Manual.

Self-Reflection

Find several examples of healthcare practice philosophies online. What themes do they share? How do you think these might influence the behaviour of staff (including managers)? How might they influence the development of policies relating to service provision, human resources, and staff behaviour?

Organisational Culture

Organisational culture is the outcome of many factors, forces and influences. Key elements and attributes of culture are:

1. individual values: Individual values are the ideas, actions and relationships that an individual holds to be of most importance. They are a significant influence on the way an individual interprets, responds to and acts within the workplace.
2. organisational values: The roles, functions and aims of an organisation determine what, collectively, needs to be valued most in order for the organisation to succeed. These are commonly expressed through corporate documents such as strategies, annual reports or press releases. […]
3. alignment between personal values and organisational values: A functional culture is fostered when staff perceive that there is some alignment, connection or ‘line of sight’ between their individual values and what needs to be valued for the organisation to succeed.
4. dynamism: An individual’s values can shift and be re-ordered. Equally, what needs to be valued within an organisation can change in response to a range of internal and external influences. Thus the collective alignment of individual and organisational values— organisational culture—is fluid and subject to change.
5. the role of leaders: Leaders in organisations influence culture by acting as role models for the behaviours and actions that align with what the organisation needs to value the most. Leaders also help staff to identify a connection between personal values and organisational values. […]

^{(State of Victoria, 2013, p. 18)}

Questions to Consider when Assessing Organisational Culture

When considering the following questions:

• look for disparity between ‘stated’ individual and organisational values versus ‘revealed’ values; do the stated values correspond to what you actually see? For example, when staff (or leaders) claim to value collaboration and cooperation, do you actually see insularity and disconnection?
• don’t just go to your ‘go-to’ people. The high profile, vocal and visible employees within an organisation may provide useful insight into the prevailing organisational culture, but won’t necessarily tell you about subcultures or countercultures.
• look out for the ‘poor cousins’ of the organisation; are there groups (formal divisions, particular disciplines, or a social grouping) whose contributions are perceived as less valuable than those of others?
• What do you hear staff say when they discuss work, clients, other divisions, or their managers?
• What do leaders say when they discuss work, clients, other divisions in the organisation, or their staff?
• What do staff and leaders talk freely and enthusiastically about?
• Are there ‘elephants in the room’? What do people avoid discussing?
• Are there ‘sacred cows’? What principles, processes or people do staff take steps to defend?
• What makes staff and leaders upset or angry?
• What sayings, slogans or mottos are repeated throughout the organisation?
• How do staff celebrate individual and organisational milestones?
• Who attends social events?
• Who interacts with whom at social events?
• What stories do you hear?
• Who tells the stories?
• What is the message or moral of the stories?
• How are those with different views treated?
• Is debate welcomed, or are divergent views ignored or shut out?
• How do staff and leaders behave in response to ad hoc requests, especially those that are unusual or require extra effort?
• What makes staff (including leaders and managers) stressed or anxious? For example, demanding deadlines, unfavourable media attention or external scrutiny).
• What appears to matter more?
• rules or relationships?
• the individual or a group?
• self-control or self-expression?
• achievement or approval?
• creativity or compliance?
• convention or inventiveness?
• avoidance of conflict, resolution of conflict, triumph over others?
• What do managers pay the most attention to?
• Do they focus on problems and crises?
• Do they also acknowledge successes?
• How are decisions made?
• by one person, by consensus, or not at all?
• What kinds of behaviours get rewarded?
• getting along with colleagues, getting things done, something else?
• What kinds of behaviour are frowned upon or condemned?
• How is poor behaviour dealt with? Is it ignored or tolerated, or is it reprimanded?
• If the organisation were a person, how would you describe it?

^{(State of Victoria, 2013, p. 18)}