What Are HIPAA Policies and Procedures?

How are your employees expected to follow HIPAA standards when you don’t have a set of guidelines in place? Having written HIPAA policies and procedures is an important part of HIPAA compliance as they provide your organization and employees with a reference point for what is and is not appropriate in regards to protected health information. HIPAA policies provide general guidelines for how to meet HIPAA requirements, while HIPAA procedures provide a specific action that is appropriate for handling a situation. 

HIPAA Privacy Policies and Procedures for Healthcare Providers

The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirements of the Health Insurance Portability and Accountability Act of 1996 (What is HIPAA?).

The Privacy Rule set forth standards for the privacy of certain health information, referred to as protected health information (PHI). PHI is any “Individually Identifiable Health Information” related to the past, present, or future provision of healthcare.

HIPAA policies and procedures

The Privacy Rule addresses privacy of PHI in several ways, including:

  •  Dictating the proper use and disclosure of individuals’ PHI.  
  • Creating standards that outline an  individual’s rights in regards to their PHI
  • Requiring covered entities to provide patients with a Notice of Privacy Practices so that they understand how their health information is used  

HHS and the Office for Civil Rights (OCR) have the responsibility of implementing and enforcing the Privacy Rule with respect to compliance activities and civil money penalties. The Privacy Rule assures that an individuals’ health information is properly protected while allowing the individuals’ necessary health information to be provided to promote quality healthcare. As such, the Privacy Rule permits important uses of information, while protecting the privacy of people who seek healthcare.

The HIPAA Privacy Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. Covered entities regulated by the HIPAA Privacy Rule are required to comply with all of its applicable requirements.

The Privacy Rule applies to health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in any form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).

HIPAA policies for privacy provide guidance to employees on the proper uses and disclosures of PHI, while HIPAA procedures provide employees with specific actions they may take to appropriately use and disclose PHI. For instance, a HIPAA privacy policy for adhering to the HIPAA minimum necessary standard may state: “When using or disclosing PHI, organization shall make reasonable efforts to limit PHI uses, disclosures, and requests disclosed to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” The HIPAA procedure applicable to this policy may state: “Organization will identify the classes of persons or job titles within the organization’s workforce who need access to PHI to carry out their job duties and responsibilities described in organization’s job descriptions.”

Let’s Simplify Compliance

Do you need help creating your HIPAA policies and procedures? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Protected Health Information

The Privacy Rule protects all 18 fields of “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information protected health information (PHI).  Individually identifiable health information is information including demographic data that relates to such personal information, such as name, address, birth date, Social Security Number, address, past medical history, etc. This type of information must be protected.

HIPAA Security Policies and Procedures

The Security Rule requires healthcare organizations to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.

The Security Rule defines: 

  • Confidentiality to mean that ePHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI.  
  • Integrity to mean that ePHI is not altered or destroyed in an unauthorized manner. 
  • Availability to mean that ePHI is accessible and usable on demand by an authorized person.

HHS recognizes that healthcare organizations range from the smallest provider to the largest, so the Security Rule is flexible and scalable to allow businesses to analyze their own needs for compliance policies and procedures, and implement solutions appropriate for their specific environments.

When a healthcare organization is deciding which security measures to use, the Rule does not dictate those measures but requires them to consider:

  • Its size, complexity, and capabilities;
  • Its technical, hardware, and software infrastructure;
  • The costs of security measures; and
  • The likelihood and possible impact of potential risks to ePHI.

Healthcare organizations must review and modify their security policies to c