Table of Contents

HIPAA compliance policy and procedures are the written rules that tell a healthcare organization how to protect patient information. Without them, staff have no clear guidance for handling protected health information (PHI), no agreed response when something goes wrong, and no proof of compliance during an audit. The U.S. Department of Health and Human Services (HHS) does not just recommend these documents. It requires them. The Office for Civil Rights (OCR) can issue penalties when they are missing, outdated, or ignored. This guide explains what these documents are, who needs them, which ones the law expects, and how to write policies your team will actually follow.

Key Takeaways

Policies set the rule, procedures set the steps. A policy states what your organization does and why. A procedure spells out exactly how staff carry it out.
Both covered entities and business associates must comply. If your work touches PHI, you need written policies and procedures.
Your library must address three core rules. These are the Privacy Rule, the Security Rule, and the Breach Notification Rule.
There is no one-size-fits-all template. Policies must match your organization’s size, services, and risk profile.
Retain everything for at least six years. All policies and related records must be kept and reviewed on a regular schedule.

Structure and clarity make policies usable. Clear formatting, plain language, accurate rule mapping, and version control separate audit-ready documents from paperwork that fails under scrutiny.

What Are HIPAA Compliance Policies and Procedures?

HIPAA compliance policies and procedures are the documented work rules that tell everyone in an organization how to keep PHI confidential, accurate, and available only to the right people. They turn broad legal requirements into clear instructions your workforce can act on every day.

These documents are not optional. HIPAA is organized into five Titles, and the duty to maintain policies lives in Title II, known as Administrative Simplification. The requirement appears in the very first standard of the Privacy Rule’s administrative requirements (45 CFR 164.530), which says a covered entity must name a privacy official to develop and implement its policies and procedures. The Security Rule (45 CFR 164.308) adds a matching duty to name a security official who builds policies to prevent, detect, contain, and correct security violations.

Policy vs. Procedure: The Distinction That Trips Organizations Up

Many teams use the two words interchangeably, and that confusion shows up in weak documentation. A policy is stable and high level. A procedure is operational and specific. You need both, and they must connect to each other.

Element	Policy	Procedure
Purpose	States the rule and the intent behind it	States the steps to carry out the rule
Audience	Everyone, including leadership	The staff who perform the task
Detail level	High level and stable	Specific and operational
Example	“Access to PHI is limited to the minimum necessary for each role.”	“Identify job titles needing PHI access, assign role-based permissions, review access quarterly.”

Where the Requirement Comes From

HIPAA covers everything from a solo dental office to a national hospital network. For that reason, the law uses the phrase “reasonable and appropriate” instead of dictating exact wording. That flexibility helps, but it also puts the responsibility on you. You must interpret each standard for your own setting and document the choices you make.

Who Must Have HIPAA Policies and Procedures?

Two groups carry this obligation, and the second group is often surprised to learn it applies to them.

Covered Entities vs. Business Associates

Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. Business associates are the vendors and partners who create, receive, maintain, or transmit PHI on a covered entity’s behalf. Common examples include billing companies, cloud hosts, and IT providers.

The HITECH Act of 2009 extended the Security Rule’s safeguards, policies, procedures, and documentation requirements to business associates in the same way they apply to covered entities. In short, if you touch PHI, you need written policies and procedures. Business associates are also advised to keep certain Privacy Rule policies for situations where a patient contacts them directly.

PHI and ePHI: What You Are Actually Protecting

Protected health information is any individually identifiable health information, from a name and diagnosis to a billing record. When that information is created, stored, or transmitted electronically, it becomes electronic protected health information (ePHI). ePHI is the specific focus of the Security Rule. Your policies should make clear which category each rule governs, so staff apply the right safeguards.

The HIPAA Rules Your Policies Must Address

Strong documentation maps directly to the rules that govern PHI. Most of your policy library will trace back to the rules below.

The Privacy Rule

The Privacy Rule governs how PHI may be used and disclosed in any format. Policies here should cover the Minimum Necessary standard, the Notice of Privacy Practices, and patient rights such as the right to access and amend their records. They should also cover the authorizations required for uses that fall outside treatment, payment, and healthcare operations. Note that patient access rights apply to the designated record set, so your policy should define what that set includes.

The Security Rule

The Security Rule sets national standards for protecting ePHI through three categories of safeguards. Administrative safeguards cover risk analysis, training, and sanctions. Physical safeguards cover facility access and device and media controls. Technical safeguards cover access controls, encryption, and audit logs. Each safeguard needs a written policy and a matching procedure.

The Breach Notification Rule

This rule defines what counts as a breach and how you must respond. Good breach policies cover internal reporting, meaning how a staff member alerts a supervisor, along with risk assessment and the timelines for notifying affected individuals, OCR, and in larger breaches the media.

The Omnibus Rule and the Enforcement Rule

The 2013 Omnibus Rule was the last major update to the HIPAA Rules. It strengthened privacy and security protections and locked business associates into direct liability. The Enforcement Rule sets out how OCR investigates complaints and applies penalties. Civil monetary penalties are tiered by the level of culpability, and willful violations can carry criminal penalties. Common violations that trigger enforcement include hacking, lost or stolen devices, and the improper disposal of records, all of which your policies should help prevent.

Which Policies Does Your Organization Actually Need?

There is no fixed number. The right set depends on your risk analysis and the services you provide. Even so, certain policies are expected of nearly every regulated organization. The crosswalk below maps common required policies to their governing rule and citation, so you can check your own library for gaps.

Required policy	Governing rule	CFR citation
Risk analysis and risk management	Security Rule	164.308(a)(1)
Sanctions for noncompliance	Security Rule	164.308(a)(1)(ii)(C)
Information system activity review	Security Rule	164.308(a)(1)(ii)(D)
Workforce security and access management	Security Rule	164.308(a)(3) to (a)(4)
Contingency and data backup plan	Security Rule	164.308(a)(7)
Notice of Privacy Practices	Privacy Rule	164.520
Minimum Necessary use and disclosure	Privacy Rule	164.502(b)
Patient access and amendment rights	Privacy Rule	164.524 and 164.526
Business Associate Agreements	Privacy and Security Rules	164.308(b) and 164.504(e)
Breach notification	Breach Notification Rule	164.400 to 164.414

A large hospital system will need far more policies, and far more detail, than a private clinic. Scale the depth to your risk, not to a generic checklist.

Anatomy of a Strong HIPAA Policy Document

This is where many organizations fall short. A policy that is legally sound but poorly built rarely changes behavior. Every effective HIPAA policy document should contain a consistent set of components:

Purpose: why the policy exists and which requirement it satisfies.
Scope: who and what the policy covers, including departments, roles, and systems.
Policy statement: the rule itself, written plainly.
Procedure steps: the ordered actions that carry the rule out.
Responsible roles: who performs, approves, and oversees each step.
Definitions and references: key terms and the CFR citations the policy addresses.
Revision history: version number, dates, and a summary of changes.
Approval and signature: sign-off that establishes authority and accountability.

When every document follows the same structure, training gets easier, audits move faster, and nothing important gets lost between versions.

How to Build HIPAA Policies and Procedures: The GUARD Framework

To make the process repeatable, we use a five-step method we call the GUARD Framework. It moves an organization from scattered practices to a documented, defensible policy library.

G: Gauge Scope and Risk

Start with a risk analysis. Identify where PHI lives, how it moves, and where threats to its confidentiality, integrity, and availability exist. This tells you which standards apply and where you need the most detail. OCR offers a free Security Risk Assessment (SRA) Tool that can guide a Security Rule review, though it does not cover Privacy Rule or Breach Notification assessments.

U: Understand the Rule Mapping

Connect each identified risk to the specific rule and citation that governs it, using a crosswalk like the one above. This prevents the most common audit failure: a policy that sounds reasonable but does not actually map to a requirement.

A: Author in Plain Language

Write policies your staff can read and apply. Avoid stacking regulatory jargon. Use the consistent document structure described earlier, and pair every policy with a workable procedure. If a clinician cannot follow the steps during a busy shift, the document has failed, no matter how compliant it looks on paper.

R: Roll Out and Attest

Distribute policies through a planned, staggered rollout, so staff are not buried in changes all at once. Require sign-off, ideally electronic, so you build an audit trail of who read and accepted each policy. Tie training directly to the policies rather than running it as a separate, generic exercise.

D: Document and Review

Store every policy, change, and attestation. Keep these records for at least six years from the later of their creation or last effective date. Set a review cadence, log every revision, and update documents whenever your environment, technology, or the regulations change.

Common HIPAA Policy and Procedure Mistakes to Avoid

Even well-meaning organizations stumble in predictable ways. In our documentation work at The Write Direction, these six issues account for most of the gaps we find:

Generic copy-paste templates that do not reflect how your organization actually operates.
Policies that do not match real practice, so staff follow an unwritten routine instead of the document.
Vague language that leaves staff guessing about what to do.
No version control, which makes it impossible to prove which policy was in force when an incident happened.
Skipped attestation, leaving no record that staff received or accepted the policy.
Set-and-forget documents that go years without a review.

Maintaining and Updating Your Policies

HIPAA compliance is ongoing, not a one-time project. Beyond the six-year retention requirement, you must review and update your documentation whenever organizational or environmental changes affect compliance. Triggers include new technology, mergers, new services, and evolving state privacy laws. Some state laws reach beyond their own borders. The Texas Medical Records Privacy Act, for example, can apply to any organization that handles the PHI of a Texas resident, regardless of where that organization sits.

You should also watch for changes to HIPAA itself. As of mid-2026, OCR has proposed the most significant update to the Security Rule in over twenty years, with a focus on stronger cybersecurity controls such as mandatory encryption and multi-factor authentication. That proposal is still in the rulemaking stage and has not been finalized, so the current Security Rule remains in effect. The practical takeaway is simple: a documented review schedule, a change log, and a clear owner for each policy keep your library current and audit-ready rather than letting it drift out of date.

Frequently Asked Questions

What is the difference between a HIPAA policy and a procedure?

A HIPAA policy states the rule your organization follows and the reason behind it. A procedure lays out the exact steps staff take to meet that rule. Policies are stable and high level, while procedures are operational and detailed. Effective HIPAA compliance policy and procedures connect the two, so intent and action stay aligned.

How many HIPAA policies and procedures does an organization need?

There is no fixed number. The right set depends on your risk analysis, your size, and the services you provide. A small practice may need a focused library, while a hospital system needs far more detail. Use a required-policy crosswalk to confirm you cover every applicable rule without padding the library with policies you will never use.

How long must HIPAA policies and procedures be retained?

You must retain HIPAA policies and procedures, along with related records and actions, for at least six years from the later of the date a document was created or last in effect. Storage can be paper or electronic. You must also review and update your documentation whenever organizational or environmental changes affect compliance.

Do business associates need their own HIPAA policies and procedures?

Yes. The HITECH Act extended the Security Rule’s policy, procedure, and documentation requirements to business associates in the same way they apply to covered entities. Any vendor that creates, receives, maintains, or transmits PHI needs written policies. Many should also keep certain Privacy Rule policies for cases where a patient contacts them directly.

Who is responsible for HIPAA policies and procedures in an organization?

HIPAA requires a designated privacy official to develop and implement Privacy Rule policies, and a security official to handle Security Rule policies. In small organizations, these can be the same person. In larger ones, the privacy role often sits with administration while the security role sits with senior IT, given the technical complexity involved.

Build Policies Your Team Will Actually Follow

At The Write Direction, we have seen what separates a binder of policies that collects dust from a living document set that holds up under an audit. The difference comes down to clear structure, plain language, accurate rule mapping, and disciplined version control. Compliance is not just about owning the right policies. It is about writing them so your people understand them and your records prove it.

If your HIPAA compliance policy and procedures need to be built from scratch, rewritten for clarity, or brought back into alignment with current regulations, The Write Direction can help. Our team specializes in turning complex requirements into documentation that is accurate, readable, and ready for review. Reach out through our consultation page at thewrite-direction.com/contact-us or email us directly at [email protected], and let us help you put policies in place that actually work.

HIPAA Compliance Policy and Procedures: A Complete Guide to Building, Writing, and Maintaining Them