How to create HIPAA policies and procedures

What your facility needs to know about creating Health Insurance Portability and Accountability Act (HIPAA) compliance policies and procedures.

June 24, 2024

Article highlights

When Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996, it aimed to set a national standard for handling and protecting sensitive patient data.

In general, organizations that deal with protected health information (PHI) must put in place and adhere to “privacy, security and administrative simplification” measures to meet HIPAA compliance requirements. (The Department of Health and Human Services regulates HIPAA compliance and the Office for Civil Rights enforces it.)

More specifically, HIPAA works on several levels. For starters, when Americans change or lose their jobs, HIPAA enables them to transfer and continue health insurance coverage for themselves and their families. And, thanks to its standardized approach (and the transparency that goes along with it), HIPAA works to decrease abuse and fraud in health care.

HIPAA also requires industry standards for handling information in electronic billing and other health care processes. Finally, HIPAA addresses the protection and privacy of health data.

HIPAA is organized into five separate categories (known as “titles”), as follows:

  • Title I: HIPAA Health Insurance Reform
  • Title II: HIPAA Administrative Simplification
  • Title III: HIPAA Tax Related Health Provisions
  • Title IV: Application and Enforcement of Group Health Plan Requirements
  • Title V: Revenue Offsets

While there are many facets of HIPAA compliance, this article deals exclusively with Title II: HIPAA Administrative Simplification.

Title II aims to boost the health care system’s efficiency and effectiveness by encouraging the secure and confidential exchange of electronic information. Part of those privacy requirements include the implementation of reasonable and appropriate policies and procedures to comply with the HIPAA standards.

HIPAA documentation requirements

If you are wondering what “reasonable and appropriate” means with regard to how your facility handles PHI, it generally means the HIPAA policies and procedures in three primary areas (administrative, technical, and physical) that cover how your facility processes, uses and discloses this health data. But when it comes to specific HIPAA policies and procedures, what healthcare documentation do facilities need?

Keep in mind that the following is not an exhaustive list of documents your organization should have to meet HIPAA compliance requirements. However, use these examples as a foundation on which to build a solid documentation strategy.

  • Training provided
  • Privacy Official, Contact Person
  • Complaints to Covered Entity and their disposition, if any
  • Notice of Privacy Practices (plus acknowledgment and good faith efforts to obtain acknowledgments)
  • Authorizations
  • Business Associate Contracts
  • Designated records sets that are subject to access by the individual, access contact persons, requests, and responses
  • Amendment contact persons, requests, denials, disagreements and rebuttals
  • Information required to be in accounting, accounting contact person, requests, and accountings provided to individual
  • Restriction Request Agreement
  • HCC Designations
  • Affiliated Covered Entity Designations
  • Certification of Group Health Plan document amendment
  • Verification documents of public officials, personal representatives

Regardless of which policies you need, HIPAA’s Security Rule requires facilities to regularly review them, modify them as needed, and provide relevant training to employees based on these policies. As far as how long you should keep these documents, experts recommend retaining these documents for six years for HIPAA compliance purposes.

Admittedly, most facilities have processes and systems already in place for patient documents that are already HIPAA compliant. But a key requirement involves creating reasonable and appropriate policies and procedures. Often facilities overlook these internal document requirements and do not give them the same level of attention as patient documents. However, they are no less important.

How to develop HIPAA-compliant policies and procedures

Developing comprehensive health care policies and procedures provide the foundation for quality patient care and operational excellence. They set expectations, guide daily activities, help promote consistency, reduce mistakes, and keep both patients and staff safe.

But due to the complexity of HIPAA compliance requirements, it can be confusing figuring out exactly what to document and how to do it. A good rule of thumb is to document in writing everything that relates to PHI. Plus, it should clearly highlight your past, current, and future environment to show your progress over the years and your plan for what’s to come.

1. Understand what reasonable and appropriate means for you

The language of the HIPAA standard is intentionally vague because different facilities have different needs.

A large hospital system, for example, will need many more policies with a much greater level of detail than a private practice or walk-in clinic. Therefore, before you jump into writing HIPAA policies and procedures, your first step should really focus on understanding your facility’s specific needs and areas of risk. Then, once you feel more attuned to your needs, you should begin crafting policies to address those needs.

In some cases, you might already have processes around these risk areas, but putting them into a formal, written policy gives you an added layer of compliance. In other cases, you may need to hire an outside consultant (such as an expert in HIPAA compliance) to help identify and write the specific policies you need.

2. Document your current processes

Like any job you’ve been doing for a long time, things likes tasks, processes, and procedures become second nature to the point where you don’t even have to think about them. Healthcare is no different.

You have likely been handling tasks, processes, and procedures in your facility to meet HIPAA requirements for a long time. However, it might have been years since you have actually looked at or updated your policies.

Rather than take a reactivate approach to documenting your processes, take a proactive approach. This means you should not wait for a problem to pop up or for staff turnover to push you into handling HIPAA compliance requirements – act now.

Evaluate if these processes still meet your compliance needs, then put them into a written policy and procedure document. You can’t prove compliance HIPAA policies and procedures without it.

3. Write policies using easy-to-understand language

With so much regulatory jargon swirling around HIPAA compliance, you might easily fall into the trap of overthinking it and trying to add the right buzzwords into your policies. But you will always fare better writing policies your staff can understand and implement rather than what you think the regulations want you to say.

Another challenge? Trying not to include overly technical or medical language while explaining the policies. However, every employee needs to understand every policy, so make sure you write them with as much common language as possible.

4. Put your policies into practice

Make sure you distribute your official HIPAA policies and procedures to staff. Create a staggered communication plan to convey this information so you do not overwhelm employees with too many changes all at once, even if you are reviewing policies in bulk.

You should also consider requiring employees to sign off on policies, as this gives you an added layer of protection in case an issue arises. If you are using a policy management solution, like PowerDMS, the sign-off procedure can be done electronically, providing a clear audit trail for every policy you create.

5. Train to your policies

Most likely, some of your training already touches on HIPAA compliance or HIPAA privacy. But training should not exist in a vacuum. Instead, your training and your policies should work hand-in-hand. Make sure your training includes the specifics of your policies and addresses this information in a practical way so the two reinforce one other.

Doing so helps staff understand how all your policies and procedures apply to their day-to-day jobs rather than just some mandatory class they must sit through every year.

The bottom line? Do not wait until a problem occurs to get control of your HIPAA policies and procedures. Fortunately, you can rely on PowerDMS as a turnkey solution to help you store, manage, distribute, and track your most important policy and procedure documentation.

Learn about other important healthcare policies your facility should have, or schedule a demo today to see how PowerDMS is specialized for your needs and goals.

Related Article

Footer CTA Image

How to write effective policies

How to write effective policies

Start writing better policies and procedures for your facility with this free 12-page guide.

Download Free Guide

Schedule a Consultation!

Everything you need to train, equip, and protect your public safety employees in a single system – from the moment they’re hired until they retire. Schedule a consultation to learn how PowerDMS can benefit you.