Tips for your HIPAA Policy and Procedure Manual

Here are some easy tips for your policy and procedure manual. Policies form the foundation of an organizations expectations of its employees. Without policies and procedures, there is no basis for guidance, which means there is no basis for security. Below are Tips for your HIPAA policy and procedure manual.

  • Formally define a policy creation and policy maintenance practice
  • Policies should survive for up to five years
  • Do not be too specific in policy statements. Policies are a high level statement defining the objectives of the policy
  • Use forceful, directive wording
  • Technical implementation details do not belong in a policy. Policies should be technology independent
  • Keep each policy as short and to the point as possible
  • Provide references and supporting documents if you have them
  • Thoroughly review before publishing
  • Conduct management review and sign-off
  • Employees should acknowledge policies. A signature page acknowledging they read them is sufficient.
  • Review incidents and adjust policies. Revisions are common
  • Periodically review your policies
  • Define policy exception rules
  • Develop sanctions for non-compliance

Policies will help you with your foundation for a comprehensive and effective security program. Your HIPAA requirements and addressable citations will help guide you in what policies and procedures are needed for your practice. Without policies, you will have no guidance whatsoever in running your practice, and will leave yourself wide open to HIPAA violations and penalties.