HIPAA Policies and Procedures

Episode 45: Know The Rules! Policies and Procedures

In this week’s “Know The Rules!,” I am diving a little deeper into the Policies and Procedures, part of the Administrative, Physical, Technical, and Organizational Safeguards of the Health Insurance Portability and Accountability Act (HIPAA) security standard, 45 CFR § 164.316.

The Policies and Procedures standard requires Covered Entities (CEs) and Business Associates (BAs) to implement and maintain reasonable and appropriate written policies and procedures and documentation necessary to comply with the provisions of the Security Rule. Specifically, it requires CEs and BAs to:

“Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach].

This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. CEs and BAs may change their policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.”

While this standard requires CEs and BAs to implement policies and procedures, the Security Rule does not define either “policy” or “procedure“.

Generally, policies define an organization’s approach. For example, most business policies establish measurable objectives and expectations for the workforce, assign responsibility for decision-making, and define enforcement and consequences for violations.

Procedures describe how the organization carries out that approach, setting forth explicit, step-by-step instructions that implement the organization’s policies.

The Policies and Procedures requirement include:
Note: (R) = Required      (A) = Addressable

  1. Policies and Procedures – 45 CFR 164.316(a)
  2. Documentation – 45 CFR 164.316(b)(1)

The following table contains a list of possible Security Areas to Consider & Examples of Potential Security Measure:

Policies and Procedures - Table 1

The following table contains a list of possible Security Components, Examples of Vulnerabilities, and Examples of Security Mitigation Strategies for the Organizational Safeguards.

Policies and Procedures

Your policies and procedures (P & P’s) should reflect the mission and culture of your organization; thus, the Security Rule enables each CE or BA to use current standard business practices for policy development and implementation. P & P’s required by the Security Rule may be modified as necessary to meet the changing needs of the organization, as long as the changes are documented and implemented in accordance with the Security Rule.

The P & P’s standard is further explained and supported by the Documentation Requirement.


The Documentation Requirement requires CEs and BAs to:

“(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”

A CE must maintain, for a period of six years after the date of their creation or last effective date (whichever is later), written security policies and procedures and written records of required actions, activities, or assessments. A CE must periodically review and update its documentation in response to environmental or organizational changes that affect the security of electronic protected health information (PHI).

Remember: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

HIPAA Policies and Procedures



For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.

8 thoughts on “Episode 45: Know The Rules! Policies and Procedures

  1. […] technology and the policies and procedures for its use that protect ePHI and control access to […]

  2. […] a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized […]

  3. […] • Your HIPAA policies and procedures […]

  4. […] Entities (CEs) believe its impossible to determine whether the policies and procedures of their Business Associates (BAs) are adequate to respond effectively to a security […]

  5. […] policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic […]

  6. […] Policies and Procedures […]

  7. […] and implementing policies and procedures to prevent, detect, contain and correct security […]

  8. […] security policies and procedures, be responsible for training workforce how to Keep PHI […]