How often are you updating your HIPAA policy and procedure manual?

I am starting to ask my clients this question. “How are you updating your HIPAA policy and procedure manual?” The reason for this, is that the policy and procedure manual is more or less a living document. It should be changing constantly. Not all of the policies, but many of them.

Most common to change

Mobile device management – This policy will change as technology on the smart phones and laptops change. For example, if the phones now come with encryption, that can be added to the policy. If the phone does not come with encryption, how you use encryption will be spelled out in the policy.

BYOD – Bring your own device. This can easily change as more and more employees bring in their Mac’s, PC’s and tablets from home.

HIPAA Chief Security Officer – This can change if the current officer leaves or is terminated.

Employee Termination Policy – Most employers continue to add to this so they are perfectly clear on what to do when an employee leaves, or is terminated. For example, you may have added an application that will require them to be removed from.

Workstation policy – I like to keep a close eye on this for timeouts, logoffs, antivirus, etc. You want to make sure that you don’t need to change anything in the policy.


These are just a few examples of how your policies and procedures will change. You should have them in a binder for easy access and reading, however it is important you have them in a Word format so you can easily make changes, reprint, and file in your book.

In addition to making to changes to existing policies, you will continue to add policies. A few years ago, there was no policy for BYOD (bring your own device), or smartphones, or any other mobile device management.

I would suggest a quarterly review of all of your policies and procedures. It’s not only a good refresher as to how things need to be done, it’s a great way to keep your practice and your patient information safe. If you need a policy and procedure manual, please contact Tier3MD at 1-855-MYTIER3.