Having a HIPAA policy is not enough to maintain HIPAA compliance. You need to actually execute the policy. Having a policy that states you will do yearly HIPAA training, means you MUST do yearly HIPAA training. I am learning that some practices think having a policy is sufficient.


Here is a good example. Risk Analysis 45 CFR 164.308(a)(1)(ii)(A) states that you will perform a risk analysis on a yearly basis. You may have the policy, but may not have completed the assessment. Again, having a HIPAA policy is not enough.

What you need to do

You not only have to execute your policies, you have to document that you have executed your policies. Let’s take the example above. Risk Analysis 45 CFR 164.308(a)(1)(ii)(A) states that you must do a security assessment. In order to meet HIPAA compliance, you would have documentation that you have done the assessment, found potential holes/leaks/vulnerabilities, identified them, come up with a plan to re-mediate, and come up with a remediation date. If you have done that, then you have met the HIPAA requirements.

Go back, and look at all your HIPAA policies and procedures and ask yourself “are we doing this?” If not, it is not too late to go back and start documenting your policies and procedures. For help, you can contact Tier3MD.


Tier3MD is a medical IT support group headquartered in Atlanta, GA