6 Steps to Start Writing and Managing Your HIPAA Policies and Procedures

Policies and procedures are the backbone of your HIPAA compliance program. They direct your entire team on how to carry out the standards of the HIPAA privacy, security, and breach notification rules.

Policy management is the process of creating, distributing, and updating policies and procedures within an organization. No matter how you maintain your policies and procedures-on paper or in electronic form-you must have a policy management process. 

Here are six steps to get you started:

1. Write Your HIPAA Policies and Procedures
Your policies should establish the following:
Purpose. All policies and procedures are written with a specific purpose in mind, such as meeting a goal, implementing a standard, or providing instructions. You should place the purpose of the policy at the beginning of the document, so the reader understands why the policy was written.
Scope. Who does the policy apply to? Is it written for a specific department or the entire organization? Does the policy apply in all situations or only in specific situations? Identify the scope of the policy early on in the document.

Procedures. Procedures are the substance of the policy. Here you spell out the "how to" of the policy-the actions employees or the organization should take to meet the requirements of the policy. Procedures should be clear and concise, using short sentences and common words that everyone can understand. 

Definitions. Some policies include very technical terms. Most of the time, the recipients of the policy will understand the terminology. However, keep in mind that people in the policy review process may not have the same knowledge as the person who carries out the procedure. Ambiguity or misinterpretation can work against your policies. Therefore, you should include a section that defines technical terms, so everyone is clear on what the policy means. 

2. Make Policies and Procedures Available to Staff
When you create a policy, you must communicate it to the staff members responsible for carrying it out. Too often, managers develop procedures to help their staff carry out a task but fail to communicate the procedures to their staff! Therefore, make sure you communicate your policies and procedures to your staff, as well as make the documents available so your team can see and use them.

3. Train Staff on Policies and Procedures
You can't assume that your staff will understand their responsibilities or know how to complete tasks required by your policies. Besides making policies available to staff and communicating policies to them, you must go a step further and train them on your policies. Training staff on policies means equipping them to carry out the procedures as they are written. 

4. Develop a Review and Approval Process
Policies aren't written in a vacuum. They must be reviewed and approved by others above the policy writer's level. For example, a department head may write a policy, which the director then reviews and sends to the board of directors to give the final approval. 

Regardless of your organization's structure, you should record the individuals involved in the RAF process (review, approve, finalize) within the policy. This gives legitimacy to the finalized policy. 

How Often Should I Update Policies and Procedures?

Policies change over time, and with good reason. When your working environment changes or there's a change to the regulatory requirements, you may need to revisit your policies. Additionally, some policies are designed to meet state or federal statutes. Therefore, it's important to keep the policies up to date and keep a record of how the procedures meet state or federal requirements.  

5. Maintain Version Control
Version control means you can revisit previous iterations of the policy. HIPAA requires you to maintain your policies' version history for six years. However, some states require you to retain your policies longer. 

6. Use Templates/Software to Streamline Policy Management
We know the frustration of juggling binders packed with documents. Policy management can quickly become a tangled mess of papers and deadlines. That's why we recommend using some type of resource-such as templates or software-to ease the burden of writing and managing your policies and procedures.

In our HIPAA management software, HIPAAtrek, you can build out policies and procedures, see definitions at a glance, train your staff on policies, manage the RAF process, and maintain version control, all from a centralized location.

In Summary

Policies and procedures are the backbone of your HIPAA compliance program. They direct your entire team on how to carry out HIPAA standards. To get started on your policy management process, we recommend the following six steps:

To learn more about how you can use HIPAAtrek as a policy management tool at your organization, contact us at support@hipaatrek.com. 

HIPAAtrek has three of their policy templates available for free on their website. Go to hipaatrek.com/resources/policy-templates/ to learn more about:


Hernan Serrano, Jr., is the director of compliance at HIPAAtrek, a St. Louis-based provider of HIPAA compliance software. He served for 25 years in medical administration with the U.S. Air Force and has 15 years of experience in providing HIPAA oversight at the senior level. He can be reached at hernan@hipaatrek.com.

Anna Belmonte is the content strategist/writer for HIPAAtrek and can be reached at anna@hipaatrek.com.