Resources

Best Practices: HIPAA Procedure and Policy Templates

Best Practices: HIPAA Procedure and Policy Templates

A Healthcare or Provider that deals with PHI (Protected Health Information) must comply with HIPAA. However, compliance is not easy. A HIPAA procedure and policy template is a simple utility for your organization to get on the same page.

While a procedures and policies template may sound like more work it is better than the nightmare of potential HIPAA fines. As Abraham Lincoln said: "Give me six hours to chop down a tree, and I will spend the first four sharpening the axe". Here are some examples of best practices with regards to HIPAA Procedures and Policy templates.

What are Procedures and Policy Template?

HIPAA is ambiguous purposely in order to allow for flexibility in it's implementation as there is no one-size-fits-all approach but how do you know if you’re doing everything correctly? How do you know if your organization is complying with the HIPAA Guidelines you established all those years ago in the basement?

In order to achieve compliance and sleep at night the practice of creating policies and procedures template documents will make compliance less painful.

Policies require updating and the old days of writing a policy once and changing the date on the cover page occasionally are over. HIPAA Requirements change, organizations change, privacy rules and rights change, so you need a template that is flexible and can be updated easily and deployed quickly.

Here are some things that should be on all HIPAA Policy and Procedure Templates

A template will help you preserve essential elements required by HIPAA. It also gives you the freedom to drop in new sections, add requirements, and rephrase your language as needed. Every organization’s HIPAA template will be different, but it’s a good idea to include these 3 sections. Creating a master template will give you the flexibility to add, remove and edit your policy language whenever you need to. As every organization has different requirements and policies these are some sections that should be on all policy and procedure templates:

  1. Privacy Rule Requirements
    To address HIPAA Privacy Rule requirements, include a section in your template that spells out how your organization uses, shares, and discloses patient information. This should include copies of your policies and forms, like:

    The Privacy rule requirement spells out how your enterprise shares, uses and discloses PHI (Private health information). The sections that should be included in this template are:

    • Privacy notices
    • (BAA) Business Associate Agreements
    • Complaint Forms / Policies
    • Notice of your privacy practices or link to your privacy policy


    The Minimum Necessary Rule is a part of the Privacy Rule that you need to address in this section of your template. Write policies that show you’re making a “reasonable effort” to limit access to patient data. Detail how you do access control, encryption or tokenization in this section.

    There is a rule called the "Minimum Necessary Rule" that lives inside the Privacy Rule that shows your making "Reasonable efforts" to limit availability and access to patient records. You should provide details on how you manage access control, your encryption standards and security practices. It doesn't have to be a giant security document but rather a high level executive description of your policies and procedures.

  2. Security Rule Requirements

    The HIPAA Security Rule covers a large portion of the HIPAA requirements. The SR proffers standards for physical security, technical security and administrative security of PHI.
    • Physical Security: Part of your document is just for your physical security policies. This includes things like cameras, biometric security devices and access control devices as well as mobile device policies and infrastructure security at a physical location.

    • Technical Security: This is one of the most important sections of the HIPAA Security Rule. These requirement include audits (self and 3rd party) and assessments. This should be very detailed and include policies on encryption standards which change monthly these days, password and security responses to a breach event. It's better to have more than less detail here.

    • Administrative: How does your company deal with HIPAA compliance? This section of your policy should touch on risk management, employee training directives, and your policies for disciplining employees for committing HIPAA violations.

    • Administrative Security: This section of your Procedure and Policy template should cover topics such as Risk Management, employee training and compliance and policies for employees facing discipline for HIPAA violations.



  3. Breach Notification Rule Requirements

    Reporting Breaches mean the worst case scenario has occurred. The key thing to remember is to stick to your policies. These policy documents, while dense and painful to create are what will make the difference. You are less likely to face a heavy fine if you have a well-thought and disciplined policy instead of a hodge-podge stack of documents.

    The Breach Notification Rule requires you to report breaches to affected patients (even if they were referred and never actually became patients) and, in some cases, to law enforcement. This part of your template should expand into how your organization responds to threats. You’ll need to include information regarding:

    • What information you are required to report determined by the type of breach.
    • The types of breaches that could happen to your organization.
    • Who reports the breach, to whom and how it is reported.


This is just the start of getting your HIPAA procedures and policy templates formalized. You will have other requirements including HITRUST, SOC2, SSAE16 or other certifications depending on your organizations requirements. That is outside the scope of this article thankfully there are a tremendous amount of resources on the internet to help you get compliant.

Reach out to us today at 800-473-6208 or sales@westfax.com to learn more.