5 Best Practices to Incorporate in Your HIPAA Security Policy

Maintaining compliance with The Health Insurance Portability and Accountability Act (HIPAA) is essential for any medical organization.

HIPAA violations can cost your organization up to $50,000 per violation.

Having an effective, well designed HIPAA security policy can be the difference between success and failure in HIPAA compliance.

Check out the five most important practices to incorporate into your policy.


The Health Insurance Portability and Accountability Act, more commonly known as HIPAA, is a federal law that covers patient privacy and recordkeeping. It lays out specific requirements and legal responsibilities of medical offices relating to patient privacy rights.

HIPAA is made up of three main rules. These are:

  • The HIPAA Privacy Rule
  • The HIPAA Security Rule
  • The HIPAA Breach Notification Rule

The privacy rule deals with who has access to patient health information (PHI) and under what circumstances they can use it.

The security rule sets minimum standards for physical and electronic security that must be met for all PHI and organization has access to.

The breach rule is fairly self-explanatory. If an organization’s store of PHI is stolen, hacked or accidentally released this rule governs how the organization must inform patients.

These three rules are the central factors when deciding on HIPAA compliance measures.

1. PHI Inventory

It’s impossible to secure information you don’t know you have. The first step you should take when creating a HIPAA security policy is to inventory all PHI in your organization’s possession.

This includes physical copies x-rays and medical documents as well as digital files. Once you have identified all the information in your possession you can begin to make plans for securing it.

For physical files, centralized storage is often best. By creating a single secure area for all PHI you reduce the cost of securing multiple areas.

Digital files are another matter entirely. Modern cybersecurity concerns all but require multiple layers of protection for PHI. Firewalls, encryption and frequent monitoring is just the beginning.

Performing a PHI inventory also allows you to discover how your organization generates patient data. This makes it easy to eliminate sources of data you don’t need for business and make sure employees are following regulations.

2. HIPAA Security Policy Evaluations

It is important to regularly review your HIPAA security policy to ensure current practices still meet legal requirements. Cyber threats change with lightning speed. By reviewing your security policy you can find out if your organization’s software is still up to date and best practices are being followed.

Besides the benefits to your practice, regular security evaluations are required by federal law. Any organization that regularly stores or accesses PHI must perform regular risk assessments to maintain HIPAA compliance.

Any time your organization changes their physical or computer security measures an evaluation should take place. This allows you to identify potential problems right away when integrating new systems.

3. Create an Incident Response Plan

Even if you’ve taken all the necessary precautions to protect PHI you should have an incident response plan. Being prepared for the worst case scenario makes it much easier to deal with smaller accidents and issues.

An effective incident response plan lays out the layers of responsibility and control when dealing with a breach or leak. This eliminates confusion and allows everyone involved to work quickly and smoothly.

Being ready to immediately respond to an issue allows your organization to mitigate the damage and limit the information lost.

New travels extremely quickly in our modern interconnected world. If you are ready to issue a response and apology immediately when a PHI breach occurs, it will look much better to patients and regulators.

4. Properly Train Employees

There’s an old saying in information security, the weakest link in any system is the user. No matter how high-tech your security software and information protection systems are, a single human failure can create a HIPAA violation.

The first step in an effective HIPAA security policy is to train employees on who they are able to communicate patient information to. This reduces the likelihood of an in person or over the phone release of information.

Educating employees at every level of the cost of HIPAA violations, both to the patient and to the organization, is another great way to drive home the seriousness of HIPAA.

Basic cybersecurity practices must also be taught to employees. They need to know the importance of using strong passwords, keeping them to themselves and consistently logging out of systems when they stop using them.

By training your employees in the importance of HIPAA and consistently refreshing them on it, you reduce the likelihood of a human breach.

5. Maintain Accountable Information Destruction

When it becomes necessary to remove PHI from your database or physical storage it is very important that such information is properly disposed of. It is not permitted to simply throw away or delete PHI.

The HIPAA privacy rule requires that any PHI must be disposed of in a permanent and nonrecoverable way. It is best to use professional document and data destruction services for this purpose.

These services will shred, burn and otherwise completely destroy all paperwork as required. They will also use permanent deletion techniques that make PHI unrecoverable from your systems.

It is generally considered a good practice to have hard drives and other digital storage properly destroyed as well.

The main benefit of these services is the audit ready logs they provide. If you ever face scrutiny, either from a lawsuit or federal officials, you can provide legally admissible records that prove PHI was properly disposed of.

You can also purchase your own deletion software, some of which includes legal logs.

HIPAA Going Forward

HIPAA requirements continue to change with the advent of new technology. Unfortunately, criminals and those who would abuse PHI are constantly improving their methods and tools to scam, lie and steal. It is up to you to ensure that your organization is educated and protected on HIPAA compliance.

One of the best ways to protect yourself and your organization is with a suite of HIPAA security products. If you would like to learn more about effective HIPAA compliance measures, here is how we can help you.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top