HIPAA Compliance

Best Practices: HIPAA Procedure and Policy Templates

A Healthcare or Provider that deals with PHI (Protected Health Information) must comply with HIPAA. However, compliance is not easy. A HIPAA procedure and policy template is a simple utility for your organization to get on the same page.

A HIPAA policy and procedure template gives a healthcare provider or business associate a documented, repeatable way to meet HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule requirements. Instead of drafting compliance language from scratch, your organization adapts a template that already spells out how patient information is used, secured, and reported if a breach occurs.

Skipping this work rarely pays off. Policies that exist only in one employee's head, or in an outdated PDF from years ago, are what turn a routine audit into a costly HIPAA fine. A living template — reviewed and updated as HIPAA guidance and your organization change — makes staying compliant far less painful than reconstructing your policies after the fact. Here are the sections every HIPAA policy and procedure template should include.

What are Procedures and Policy Template?

HIPAA is ambiguous purposely in order to allow for flexibility in it's implementation as there is no one-size-fits-all approach but how do you know if you’re doing everything correctly? How do you know if your organization is complying with the HIPAA Guidelines you established all those years ago in the basement?

In order to achieve compliance and sleep at night the practice of creating policies and procedures template documents will make compliance less painful.

Policies require updating and the old days of writing a policy once and changing the date on the cover page occasionally are over. HIPAA Requirements change, organizations change, privacy rules and rights change, so you need a template that is flexible and can be updated easily and deployed quickly.

Here are some things that should be on all HIPAA Policy and Procedure Templates

A template will help you preserve essential elements required by HIPAA. It also gives you the freedom to drop in new sections, add requirements, and rephrase your language as needed. Every organization’s HIPAA template will be different, but it’s a good idea to include these 3 sections. Creating a master template will give you the flexibility to add, remove and edit your policy language whenever you need to. As every organization has different requirements and policies these are some sections that should be on all policy and procedure templates:

Privacy Rule Requirements

To address HIPAA Privacy Rule requirements, your template should include a section that spells out how your organization uses, shares, and discloses patient information, specifically Private Health Information (PHI). This section should also contain copies of your relevant policies and forms, like:

  • Privacy notices
  • (BAA) Business Associate Agreements
  • Complaint Forms / Policies
  • Notice of your privacy practices or link to your privacy policy

The Minimum Necessary Rule, part of the Privacy Rule, requires policies that show you’re making a “reasonable effort” to limit access to patient data. Detail how you handle access control, encryption, or tokenization here — a high-level executive summary of your practices, not a full security document.

Security Rule Requirements

The HIPAA Security Rule covers a large portion of the HIPAA requirements. It sets standards for the physical, technical, and administrative security of PHI.

  • Physical Security: Part of your document is just for your physical security policies. This includes things like cameras, biometric security devices, and access control devices as well as mobile device policies and infrastructure security at a physical location.
  • Technical Security: This is one of the most important sections of the HIPAA Security Rule. These requirements include audits (self and 3rd party) and assessments. This should be very detailed and include policies on encryption standards, password requirements, and security responses to a breach event. It's better to have more than less detail here.
  • Administrative Security: This section should cover risk management, employee training and compliance, and your policies for disciplining employees who commit HIPAA violations.

Breach Notification Rule

Reporting a breach means the worst-case scenario has occurred. The key is to stick to your policies: a well-thought-out, disciplined breach response is far less likely to draw a heavy fine than a hodge-podge stack of ad hoc decisions.

The Breach Notification Rule requires you to report breaches to affected patients (even if they were referred and never actually became patients) and, in some cases, to law enforcement. This part of your template should expand into how your organization responds to threats, covering:

  • What information you are required to report, determined by the type of breach.
  • The types of breaches that could happen to your organization.
  • Who reports the breach, to whom, and how it is reported.

This is just the start of getting your HIPAA procedures and policy templates formalized. You will have other requirements including HITRUST, SOC2, SSAE16 or other certifications depending on your organizations requirements. That is outside the scope of this article thankfully there are a tremendous amount of resources on the internet to help you get compliant.

Reach out to us today at 800-473-6208 or sales@westfax.com to learn more.