hipaa policies and procedures

Staying Compliant with HIPAA: Policies and Procedures That Work

Fines, criminal charges, civil action lawsuits; these are just some of the negative outcomes of not following HIPAA laws. As a company or individual that is bound by HIPAA, you know how imperative it is to ensure all aspects are being upheld, but how do you make sure that all of your I’s are dotted and T’s are crossed?

Keep reading to learn more about HIPAA policies and procedures that will help your organization to stay in compliance.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This law created standards to protect patients’ private health information from being shared without their consent and ensures individuals have access to continuous health insurance after losing or transferring jobs.

What is PHI?

PHI stands for protected health information and is the main focus of the HIPAA law. PHI includes any unique data that would allow a patient to be identified such as, name, address, biometric data, or full-face photos. Due to HIPAA, all covered entities must ensure that protected health information is being handled confidentially.

Who are Covered Entities?

Covered entities under HIPAA and the Privacy Rule are individuals or companies that collect, use, or store PHI. Health plans, healthcare providers, and any business associates that handle PHI are all included.

HIPAA Policies and Procedures

In today’s world, there are many considerations to take into account when discussing HIPAA policies and procedures. Not only do physical patient records need to be safeguarded, but electronic information, whether in office or by remote employees, needs to be thought of as well.

Let’s take a look at policies and procedures to implement to help keep your company in compliance.

  1. Conduct regularly scheduled self-audits to catch any potential issues before they become a problem.
  2. If any changes need to be made after self-audits, document them, and revisit it regularly to make sure the remediated plan is being adhered to. 
  3. Appoint a HIPAA Compliance Officer that will schedule regular training and keep up-to-date on any changes in HIPAA law.
  4. Maintain records of who has access to protected health information.
  5. Designate restricted areas that house protected health information in the office.
  6. Create policies for the use and transfer of electronically protected health information.
  7. Regularly check in with third party businesses that also have contact with patient information to ensure that they are also following HIPAA standards.
  8. Ensure that all employees that may have any level of access to patient PHI obtain thorough, proper, and clear HIPAA training.
  9. Consider using an all-in-one service to ensure all aspects of HIPAA compliance are being adhered to.
  10. Sign up for HIPAA security reminders for yourself and your team to provide regular reminders of areas to be mindful of.

With vigilance, regular check-ins, and the proper policies and procedures in place, you can make sure that your organization is in full HIPAA compliance.


While considering which HIPAA policies and procedures to enact, it is important to consider some of the most common HIPAA violations. Here are some violations to take note of.

Unsecured Records

Physical files should be in a restricted area or a locked filing cabinet. Digital files should be encrypted and password protected.

Lack of Training

When employees lack proper training on HIPAA rules, mistakes are bound to happen. Luckily, this is an area that can be put into action right away. Training of employees is required under HIPAA.

Sharing of PHI

Employees need to be cautious and aware of sharing PHI even with each other. PHI should only be discussed on an as-needed basis.

Improper Disposal

Any information that may contain PHI must be disposed of in a way that destroys all information. This can be shredding papers for physical files or wiping hard drives for electronic files.

Release of Information

Unauthorized release of information can be accidental, like releasing information to a family member that is not listed on the patient’s chart. Other times unauthorized releases can be intentional as often happens with celebrities or other public figure’s medical information being released to the media. 

Hacking and Data Breaches 

Unfortunately in today’s digital world, hacking happens. While we can’t control everything, it is required to reduce the risk of data breaches with safeguards.

Business Associates

Organizations are mandated to have HIPAA compliant business associate agreements with any companies that are given access to PHI in the course of business. It is a best practice to request information on a potential or current business associate on their HIPAA policies and procedures, to ensure patient privacy is maintained. 

Denying Patient Access

Patients have a right to their records. Denying a patient their records, overcharging for copies, or not providing records in a timely fashion are all HIPAA violations.

Emailing ePHI 

Although emailing electronic PHI to personal accounts may be a common practice, it is considered removing PHI from a healthcare facility, which puts a patient’s information at risk. The same would go for taking physical patient files out of the workplace as well.

Unattended PHI

Leaving PHI unattended, whether it be in the form of physical patient records or an electronic device that contains ePHI, can have undesired consequences. All PHI must be secured at all times to prevent unauthorized individuals from viewing the information. 

Ensure Proper Compliance

During audits it is not enough to just be in compliance, you must be able to prove you are in compliance. Having clear outlined HIPAA policies and procedures, proper employee training, quick remediation of any issues, and a HIPAA emergency response plan are key to ensuring compliance.

Contact us to discuss how we can streamline the process for proper HIPAA compliance for your team today. 


HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top