Written Policies and Procedures – HIPAA – “It’s The Law”

by Brian L Tuttle, CPHIT, CHP, CHA, CBRA, CISSP

I know, I know . . . there’s nothing more mundane and boring than writing policies and procedures for every aspect of the HIPAA Privacy and Security Rule.  But guess what, lucky you….they are required!  This is a non-negotiable required part of HIPAA – “Covered entities (this means your practice!) must adopt a written set of privacy/security procedures and designate a privacy and security officer to be responsible for developing and implementing all required policies and procedures”.  Furthermore, as of the HITECH act (also known as American Recovery and Reinvestment Act or Obama Stimulus), Business Associates must also have written policies and procedures in place to be in compliance – and are now held liable for any PHI (Protected Health Information) they are utilizing.  Fun, fun, fun.   For this article we will be looking at the HIPAA Security Rule Policies and Procedures.  This seems to be the greatest area of need and concern for folks.

In my years of consulting practices on getting proper policies in place, I’ve noticed a disturbing trend; many practices tend to use “cookie cutter” policies which are just basically fill in the blank templates.  Of course this is better (kind of) than having no policies at all but far from sufficient.  *When (not if) your practice is audited by the Federal government you need to have policies in place that are actually being carried out by your practice.  Additionally, if you were to have a breach of PHI and good sound policies were in place, this gives you a much better defense than poorly written policies.  ALL POLICIES SHOULD BE BASED ON YOUR RISK ASSESSMENT.  I won’t get too deep into the ins and outs of conducting a proper risk assessment in this article but it is highly recommended this be done prior to writing your policies.  Feel free to contact me regarding how to conduct the Risk Assessment.

Now with all that said how do I recommend you get “better” HIPAA policies written?  Here’s what I have found to be the best way to get this done.  

First, know your risk.

Second, you need to have a list of all the HIPAA Security Standards.  Here is a simple very condensed breakdown of the HIPAA Security Rule:




                Standard:    Security Management Process

  Implementation Specification(s): Risk Analysis, Risk Management, Sanction Policy, Information System Activity Review

Standard:   Assigned Security Responsibility

                                Implementation Specification(s): Assigned Security Responsibility

                Standard:   Workforce Security

Implementation Specification(s): Authorization and/or Supervision, Workforce Clearance Procedure, Termination Procedures

Standard:   Information Access Management

Implementation Specification(s): Isolating Clearing House Functions, Access Authorization, Access Establishment and Modification

Standard:   Security Awareness and Training

Implementation Specification(s): Security Reminders, Protection from Malicious Software, Log-in Monitoring, Password Management

Standard:   Security Incident Procedures

                                Implementation Specification(s): Response and Reporting

Standard:   Contingency Plan

Implementation Specification(s): Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operation Plan, Testing and Revision Procedure, Application and Data Criticality Analysis

Standard:   Evaluation

                                Implementation Specification(s): Evaluation

Standard:   Business Associate Contracts

                                Implementation Specification(s): Written or Other Arrangements




                Standard:   Facility Access Controls

Implementation Specification(s): Contingency Operations, Facility Security Plan, Access Control and Validation Procedures, Maintenance Records

                Standard:   Workstation Use

                                Implementation Specification(s): Workstation Use

Standard:   Workstation Security

                        Implementation Specification(s): Workstation Security

Standard:   Device and Media Controls

Implementation Specification(s): Disposal, Media Re-use, Accountability, Data Backup and Storage




                Standard:   Access Controls

Implementation Specification(s): Unique User ID, Emergency Access Procedure, Automatic Logoff, Encryption and Decryption

Standard:   Audit Controls

                                Implementation Specification(s): Audit Controls

Standard:   Integrity

                                Implementation Specification(s): Mechanism to Authenticate ePHI

Standard:   Person or Entity Authentication

                                Implementation Specification(s): Person or Entity Authentication

Standard:   Transmission Security

                                Implementation Specification(s): Integrity Controls, Encryption

Third, understand what each Standard entails.  I like going straight to the Health and Human Services website, this will give the complete text of the regulations (both Privacy and Security) and many resources on which to expound upon: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html

Fourth, write a policy for every single one of the rules, yes there are a lot (44 in total) but if you pace yourself and do a few per day it won’t be so bad.  Write exactly what the law requires in the header and then what your practice is doing to be within compliance.  Writing them this way is very simple, easy to follow, concise, and with no room for error.   


Fifth, you will note that many of the HIPAA Security Implementation Specifications are either “required” or “addressable”.   A “required” Implementation Specification obviously means that you must have this implemented as a written policy and it must be following the rule.  An “addressable” Implementation Specification means you need to be following the rule unless you can have a written policy as to why it isn’t necessary.  Either way a policy must be written.

Click Here for an example of a custom written HIPAA Security Rule policy and procedure pertaining to “Login Monitoring”. 


As you can see, this is part of the Administrative Safeguards portion of the Security Rule, the Standard is Security Awareness and Training and the Implementation specification is “Login Monitoring”.   You can also see I included the actual area within the Federal Register and explained the law in the “Requirement” area.   Also note this is an “Addressable” not a required policy. 

That’s it — one well written policy!

If you would like an example of more custom policies or would like more information on a Risk Assessment or HIPAA Audit for you practice feel free to contact me at:  brian.tuttle@ingaugehsi.com,  www.hipaa-consulting.com


Brian Tuttle is a Senior IT Specialist for InGauge Healthcare Solutions, Inc., an InHealth company.   Efficiency in Practice is the free eNewsletter for medical practice managers who want to save time, money and reduce risk.  For more information and to access your FREE report, Patient Collections: It’s Make or Break for Many Practices, visit www.efficiencyinpractice.com 

This article can be reprinted freely online, as long as the entire article and this resource box are included


Comments are closed.