It’s that time of year where I am working on Security Risk Assessments for all of our clients. Are you HIPAA Policies and Procedures up to date? Have you reviewed the manual? All you need to do is review them, make any corrections and initial them. It’s also good practice to go over the manual with the staff so they are informed as well.

Are Your HIPAA Policies And Procedures Up To Date?

Over the next few days, I will be posting some policies for you in case you either don’t have one, or don’t like the one you have. Keep in mind you can edit these at your convenience and make sure they fit your practice. They shouldn’t be cookie cutter as each practice is different.

If you would like the entire manual, contact Tier3MD support desk and they can assist you.

Policies You Can Use

1.2 Sanction Policy


  • Has your practice shared a written Sanction Policy to apply appropriate sanctions against workforce members who fail to comply with your security policies and procedures?
  • Do you require employees to sign a statement of adherence to security policy and procedures (e.g., as part of the employee handbook or confidentiality agreement) as a prerequisite to employment?
  • Does the statement of adherence to security policies and procedures state that the workforce member acknowledges that violations of security policies and procedures may lead to disciplinary action, for example, up to and including termination?
  • Does the sanction policy provide examples of potential violations of policy and procedures?
  • Does the sanction policy adjust the disciplinary action based on the severity of the violation?

You need to make sure all of these things are covered in your HIPAA Policy and Procedure Manual.


<YOUR PRACTICE NAME> Compliance investigates allegations of noncompliance with privacy and information security policies and determines findings. These findings are reviewed with the appropriate administrator (e.g., the workforce member’s manager, or leadership team), to determine appropriate sanctions.


This policy applies to all Users, and the information covered in this policy includes Protected Health Information (or PHI).


When the findings result in noncompliance, the workforce member’s manager shall determine the corrective actions in consultation with the leadership in Human Resources. In determining corrective actions, the manager should take into consideration the severity of the violation, whether the violation was intentional or unintentional, whether the violation indicated a pattern or practice of improper use or disclosure of PHI, and the workforce member’s corrective action record.

Corrective action includes, but is not limited to: training; re-signing the Privacy, Confidentiality, and Information Security Agreement; coaching; retraining; informal counseling; formal counseling; final counseling; suspension; demotion or termination/dismissal. Corrective action must comply with the provisions of applicable federal and state laws and regulations.


The Practice Manager will develop appropriate documentation, retain the documentation according to HIPAA Standards and record retention schedules.


Link to Regulation

HIPAA – 45 C.F.R. § 164.308(a)(1)(ii)(C)