6 Steps to Start Writing and Managing HIPAA Policies and Procedures

Graphic that says Policies and Procedures with an image of a stack of papers with pencils.
Share on facebook
Share on twitter
Share on pinterest

Policies and procedures are the backbone of your HIPAA compliance program. They direct your entire team on how to carry out the standards of the HIPAA privacy, security, and breach notification rules.

Policy management is the process of creating, distributing, and updating policies and procedures within an organization. No matter how you maintain your policies and procedures – on paper or in electronic form – you must have a policy management process.

Here are six steps to get you started:

  1. Write your HIPAA policies and procedures
  2. Make policies and procedures available to staff
  3. Train staff on policies and procedures
  4. Develop a review and approval process
  5. Maintain version control
  6. Use templates/software to streamline policy management

Graphic of people collaborating on a policy.

1. Write Your HIPAA Policies and Procedures

Your policies should establish the following:

  • Purpose. All policies and procedures are written with a specific purpose in mind, such as meeting a goal, implementing a standard, or providing instructions. You should place the purpose of the policy at the beginning of the document, so the reader understands why the policy was written.
  • Scope. Who does the policy apply to? Is it written for a specific department or the entire organization? Does the policy apply in all situations or only in specific situations? Identify the scope of the policy early on.
  • Procedures. Procedures are the substance of the policy. Here you spell out the “how to” of the policy – the actions employees or the organization should take to meet the requirements of the policy. Procedures should be clear and concise, using short sentences and common words that everyone can understand.

In the Policies module of our HIPAA compliance software, you can build out procedure sections directly within the policy. Add, remove, update, and approve procedures – all from a single place.

Screenshot of a policy in HIPAAtrek with procedure sections in blue.

This is an image of a policy integrated in HIPAAtrek. The two procedures are indicated by the blue bars. You can quickly see each procedure’s status at-a-glance.

  • Definitions. Some policies include very technical terms. Most of the time, the recipients of the policy will understand the terminology. However, keep in mind that people in the policy review process may not have the same knowledge as the person who carries out the procedure. Ambiguity or misinterpretation can work against your policies. Therefore, you should include a section that defines technical terms, so everyone is clear on what the policy means.

Policies should provide direction, not confusion. For this reason, we added a Definitions module to our software.

Screenshot of HIPAAtrek's Definitions module where several definitions are listed.

The Definitions module lists all definitions, both the default ones we provide and custom ones that you add.

This module contains many HIPAA-related terms, and you can add your own. Throughout the software, you can quickly see definitions by hovering over the underlined words.

Screenshot of a user hovering their cursor over an underlined word and seeing the definition in a hover box.

Hover your cursor over an underlined word to see its definition in a hovercard.

2. Make Policies and Procedures Available to Staff

When you create a policy, you must communicate it to the staff members responsible for carrying it out. Too often, managers develop procedures to help their staff carry out a task but fail to communicate the procedures to staff!

How can employees carry out HIPAA procedures if the policies and procedures are unavailable to them? Make sure you communicate your policies and procedures to your staff, as well as make the documents available so your team can see and use them.

With HIPAAtrek, you never have to worry about staff not having access to your policies and procedures. At any time, they can access policies and procedures from the Policies module. Plus, it’s easy to send notifications, tasks, and reminders from HIPAAtrek to communicate your policies and procedures to your team.

Screenshot of a policy task in HIPAAtrek.

Users can see a list of tasks to complete. Expanding a task reveals instructions related to the assigned policy.

3. Train Staff on Policies and Procedures

You can’t assume that your staff will understand their responsibilities or know how to complete tasks required by your policies. Besides making policies available to staff and communicating policies to them, you must go a step further and train them on your policies. Training staff on policies means equipping them to carry out the procedures as they are written.

In HIPAAtrek, you can assign policies to your staff and incorporate them in training. Training videos and quizzes test individuals’ comprehension.

Screenshot of an administrator assigning quizzes to users.

Here, an administrator is assigning training quizzes to HIPAAtrek users. You can assign videos and quizzes together in the Training module.

4. Develop a Review and Approval Process

Policies aren’t written in a vacuum. They must be reviewed and approved by others above the policy writer’s level. For example, a department head may write a policy, which the director then reviews and sends to the board of directors to give the final approval.

Regardless of your organization’s structure, you should record the individuals involved in the RAF process (review, approve, finalize) within the policy. This gives legitimacy to the finalized policy.

Assign the RAF process to workforce members in HIPAAtrek to streamline policy approval. You will always be able to see what stage your policies are in.

Screenshot of an administrator assigning the RAF process to users in HIPAAtrek.

Here, an administrator is assigning users the RAF process: they assign a user or users to Review, Approve, and Finalize policies.

How Often Should I Update Policies and Procedures?

Policies change over time, and with good reason. When your working environment changes or there’s a change to the regulatory requirements, you may need to revisit your policies. Additionally, some policies are designed to meet State or federal statutes. Therefore, it’s important to keep the policies up-to-date, as well as keep a record of how the procedures meet State or federal requirements.

5. Maintain Version Control

Maintaining version control over your policies is an important principle of policy management. Version control means you can revisit previous iterations of the policy. HIPAA requires you to maintain your policies’ version history for six years. However, some States require you to retain your policies longer.

With our compliance software, it’s easy to view version history with a side-by-side comparison. Plus, HIPAAtrek maintains version history for 25 years.

Screenshot of a HIPAAtrek user comparing the version history of a policy section.

You can compare the version history of an entire policy or sections of a policy.

6. Use Templates/Software to Streamline Policy Management

We know the frustration of juggling binders packed with documents. Policy management can quickly become a tangled mess of papers and deadlines. That’s why we recommend using some type of resource – such as templates or software – to ease the burden of writing and managing your policies and procedures.

To streamline policy management as much as possible, we developed 70+ policy templates and integrated them into our software so they are ready to use. You can also upload your own policies or build them natively in the software.

Screenshot of HIPAAtrek's Policies module landing page, where policies are organized into groups.

This is a view of the Policies module landing page. HIPAAtrek organizes policies into policy groups for easier use.

Click here to download three of our policy templates for free:

  1. Business Associate Contracts
  2. BYOD (Bring Your Own Device)
  3. Media Disposal

Policy Management: In Summary

Policies and procedures are the backbone of your HIPAA compliance program. They direct your entire team on how to carry out HIPAA standards. To get started on your policy management process, we recommend the following six steps:

  1. Write your HIPAA policies and procedures
  2. Make policies and procedures available to staff
  3. Train staff on policies and procedures
  4. Develop a review and approval process
  5. Maintain version control
  6. Use templates/software to streamline policy management

To learn more about how you can use HIPAAtrek as a policy management tool at your organization, check out our platform page or contact us at support@hipaatrek.com.

Please share to your communities

Request A HIPAAtrek Demo

Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!
Learn about Hipaa

Join the HIPAA Huddle

The HIPAA Huddle is a monthly meeting for compliance officers and others with HIPAA oversight responsibility to meet LIVE in a collaborative  environment to work through a single issue or discuss best practices.