25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

HIPAA Policies and Procedures

Posted By on Apr 11, 2025

HIPAA policies and procedures are “work rules” healthcare organizations must implement and regularly update to ensure the confidentiality, integrity, and availability of Protected Health Information – addressing areas such as the privacy of individually identifiable health information, patient rights, data protection, staff training, and security incident responses.

The requirement to develop, implement, and enforce HIPAA compliance policies and procedures appears in the first standard of the Administrative Requirements of the HIPAA Privacy Rule (§164.530). The standard states a covered entity must “designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.”

This standard not only applies to the development and implementation of HIPAA Privacy Rule policies and procedures, but also to policies and procedures designed to comply with the HIPAA Breach Notification Rule. The designated privacy official is also responsible for training members of the covered entity´s workforce on relevant policies and procedures, and for applying sanctions for noncompliance.

With regards to HIPAA Security Rule policies and procedures, the requirements of the Administrative Safeguards (§164.308) are more comprehensive. Covered entities and business associates are required to designate a security official who is responsible for developing and implementing HIPAA policies and procedures designed to prevent, detect, contain, and correct security incidents.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Although the Administrative Safeguards of the HIPAA Security Rule require security and awareness training rather than specific policy and procedure training, security and awareness training programs must be designed “in accordance with §164.306” – these being the General Requirements of the HIPAA Security Rule which required covered entities and business associates to “protect against any reasonably anticipated uses or disclosures of [PHI] that are not permitted or required by [the HIPAA Privacy Rule]”.

There is No One-Size-Fits-All Policy Playbook

Despite there being thousands of covered entities and business associates, there is no one-size-fits-all template for developing HIPAA policies and procedures. This is because HIPAA accommodates different types of organizations and what might be appropriate for a large medical system is likely to impractical for a dental office, veterans’ health program, or technology provider.

Consequently, covered entities are required to conduct periodic HIPAA risk assessments to identify where threats exist to the confidentiality, integrity, and availability of PHI and develop, carry out risk analyses to identify gaps, and implement HIPAA policies and procedures to reduce risks and vulnerabilities to a reasonable and appropriate level.

To assist covered entities and business associates with the development of policies and procedures, HHS’ Office for Civil Rights has released an interactive Security Risk Assessment Tool which guides users through a HIPAA Security Rule assessment. However, this tool does not guarantee compliance with HIPAA as it does not cover HIPAA Privacy Rule and Breach Notification assessments.

HIPAA Privacy Rule and Breach Notification assessments will have to be conducted manually to comply with the Administrative Requirements of the HIPAA Privacy Rule – i.e., “reasonably safeguard Protected Health Information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements of this subpart”.

You Cannot Avoid HIPAA Policies and Procedures

The failure to develop, implement, and enforce HIPAA policies and procedures can have significant consequences. Not only might a lack of guidelines lead to multiple HIPAA violations, the failure to develop, implement, and enforce HIPAA policies and procedures is itself a HIPAA violation for which HHS’ Office for Civil Rights has previously issued financial penalties.

It is also important any changes to policies and procedures are notified to everybody impacted by the changes. This may mean Notices of Privacy Practices need to be revised, members of the workforce need to undergo refresher training, or Business Associate Agreements need to be re-issued. All policy changes must be documented and maintained for a minimum of six years.

In addition to periodically reviewing and updating policies and procedures in response to environmental and organizational changes, covered entities and business associates must also keep policies and procedures up to date with state laws. Some state laws – such as Texas’ Medical Records Privacy Act – extend beyond state boundaries to any covered entity that collects, maintains, or processes the PHI of a Texas resident regardless of where the covered entity is located.

One further reason for keeping HIPAA policies and procedures up to date is that when new HIPAA regulations are published – as is forecast to happen later this year – it will be easier for covered entities and business associates to review and update existing policies and procedures. This not only mitigates the administrative overhead of HIPAA compliance but will also smooth the introduction of changes for patients, members of the workforce, and business associates.

HIPAA Policies and Procedures FAQs

Are business associates required to develop and implement HIPAA Privacy Rule policies?

Business associates are required to develop and implement HIPAA Privacy Rule policies when a HIPAA Privacy Rule standard applies to a service being provided to or on behalf of a HIPAA covered entity. This is because all HIPAA Administrative Simplification Regulations apply to business associates “where provided” (§160.102). Business Associates should include such circumstances in compliance assessments to ensure HIPAA Privacy Rule policies exist when these circumstances occur.

What should Breach Notification policies and procedures include?

Breach notification policies and procedures should include everything from the definition of a data breach to how affected individuals, HHS’ Office for Civil Rights, and the media will be notified. One of the most important policies in this area should be how members of the workforce notify a breach to supervisors in order that the covered entity or business associate can mitigate the impact of the breach as quickly and as effectively as possible.

Is it possible to combine policy and procedure training with security and awareness training?

In some cases, it can be beneficial to combine HIPAA Privacy Rule and HIPAA Security Rule training – for example when discussing device and media controls and why they exist. However, combining non-related areas of HIPAA can confuse trainees or result in information overload which can limit retention and result in unintentional violations. Therefore, it is a best practice to combine HIPAA Privacy Rule and HIPAA Security Rule training only when appropriate.

Can the privacy official and the security official be the same person?

The privacy official and the security official can be the same person because HIPAA does not stipulate that the roles have to be assigned to different individuals. However, it is more often the case that the role of privacy official is assigned to an employee in an administrative, HR, or legal position, while the role of security official is assigned to an employee in a senior IT position due to the complexity of some HIPAA Security Rule implementation specifications.

What changes to HIPAA are forecast to happen this year?

Among the changes forecast to happen this year, individuals may be allowed to request a transfer of PHI to personal health apps or request that PHI maintained on an EHR is shared between covered entities, “good faith” uses and disclosures of PHI may be allowed beyond those currently permitted by the HIPAA Privacy Rule, and there are proposals to strengthen cybersecurity measures in the HIPAA Security Rule. If these proposals are finalized, the changes will have a significant impact on existing HIPAA policies and procedures.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist