Guides
Start typing to search…

What Policies are Required under HIPAA?

The following outlines the types of policies and procedures required for implementation and management of HIPAA compliance.

Required Policies and Procedures under HIPAA

The HIPAA Rules impose extensive requirements on Covered Entities and Business Associates (regulated entities) to develop, implement, and document specific policies, procedures, and safeguards to protect Protected Health Information (PHI).

The required policies and documentation fall primarily under the Administrative Requirements of the Privacy Rule and the Administrative, Physical, and Technical Safeguards of the Security Rule.

General Safeguards:

These policies govern how the entity manages privacy within its organization:

  • Contact Person/Office Designation: A covered entity must designate a contact person or contact office responsible for receiving complaints and providing individuals with information on the entity's privacy practices.
  • Mitigation Policy: A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by improper use or disclosure of PHI by its workforce or business associates.
  • Data Safeguards Policy: A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy
  • Rule and to limit incidental use and disclosure. Examples include shredding documents and securing medical records with lock/key or passcode.
  • Complaint Procedures: A covered entity must have documented procedures for individuals to complain about its compliance with its privacy policies and the Privacy Rule.
  • Documentation and Record Retention Policies: A covered entity must maintain its privacy policies and procedures, privacy practices notices, and disposition of complaints for six years after the later of their creation or last effective date.
  • Notice of Privacy Practices (NPP): Each covered entity must provide a notice describing its privacy practices, its duties to protect privacy, individuals' rights, and contact information. Recent rules require revisions to NPPs to support reproductive health care privacy.
  • Minimum Necessary Policies and Procedures: A covered entity must develop and implement policies and procedures that restrict access and uses of PHI based on workforce roles and must establish policies (which may be standard protocols) for routine, recurring disclosures to limit information to the minimum necessary.

HIPAA Required Policies and Procedures

Below is a list of the policies, procedures, and plans explicitly required or heavily mandated by the HIPAA Rules:

Security Rule Safeguards

The Security Rule requires regulated entities to adopt reasonable and appropriate policies and procedures to comply with its provisions.

Administrative Safeguards

Security Management Process (Risk Analysis and Risk Management): Procedures to perform an accurate and thorough risk assessment of potential risks and vulnerabilities to ePHI and implement security measures that reduce risks to an appropriate level.

  • Assigned Security Responsibility: Policies designating a security official responsible for developing and implementing security policies and procedures.
  • Workforce Security Policies: Policies/procedures ensuring workforce members have appropriate authorization, supervision, and access to ePHI.
  • Information Access Management Policies: Policies/procedures for authorizing access to ePHI only when appropriate for the user's role, consistent with the minimum necessary standard.
  • Security Awareness and Training: Must train all workforce members on its security policies and procedures.
  • Sanction Policy: Must apply appropriate sanctions against workforce members who violate its security policies and procedures.
  • Security Incident Procedures: Policies/procedures to address security incidents, including identification, response, mitigation of harmful effects, and documentation of outcomes.
  • Contingency Plan: Procedures for responding to emergencies or occurrences that damage information systems containing ePHI, including plans for backing up ePHI, restoring lost data, and continuing critical business processes (emergency mode operation).
  • Evaluation: Procedures to perform a periodic technical and non-technical assessment of how well policies and procedures meet Security Rule requirements.

Physical Safeguards

  • Facility Access and Control Policies: Policies/procedures to limit physical access to electronic information systems and facilities that house them.
  • Workstation Use and Security Policies: Policies/procedures specifying the proper use of, and physical safeguards for, workstations that can access ePHI.
  • Device and Media Controls Policies: Policies/procedures governing the receipt, removal, movement, and final disposition of hardware and electronic media containing ePHI, including procedures for removing ePHI before media are made available for re-use.

Technical Safeguards

  • Access Control Procedures: Technical policies/procedures for electronic information systems to allow only authorized persons to access ePHI.
  • Audit Controls: Mechanisms (hardware, software, or procedural) to record and examine activity in information systems that contain or use ePHI.
  • Integrity Procedures: Policies/procedures to ensure that ePHI is not improperly altered or destroyed, and electronic measures to confirm ePHI integrity.
  • Authentication Procedures: Procedures to verify that a person seeking access to ePHI is who they claim to be.
  • Transmission Security Measures: Technical security measures to guard against unauthorized access to ePHI transmitted over an electronic network.

Organizational Requirement:

  • Business Associate Agreements (BAAs): A covered entity must have a written contract or arrangement (BAA) with any business associate that creates, receives, maintains, or transmits ePHI on its behalf, ensuring the business associate will comply with the Security Rule.

Breach Notification Rule Requirements

  • Breach Notification Policies and Procedures: Covered entities are required to have in place written policies and procedures regarding breach notification.
  • Workforce Training and Sanctions: Covered entities must train employees on these policies and procedures and develop and apply appropriate sanctions against workforce members who fail to comply.
  • Documentation of Breach Determinations: Entities must maintain documentation demonstrating that all required notifications were made, or, alternatively, documentation (such as a risk assessment) showing notification was not required due to a low probability of PHI compromise.

Special Policy/Procedure:

  • Attestation Procedures: Regulated entities receiving a request for PHI potentially related to reproductive health care for specific purposes (like law enforcement or judicial proceedings) must obtain a signed attestation confirming the use or disclosure is not for a purpose prohibited by the final rule.

Updated about 1 month ago