HIPAA Security – Policies and Procedures

The concept of Policies and Procedures should not be anything new for those who work in the healthcare industry. From how to handle garbage to treatment of mental disorders there is a set of instructions to assist those doing the tasks. Even a simple office visit normally ends with a plan of action which are nothing but a set of instructions regarding how this patient will be treated.

Considering the above it should not surprise anyone that the Federal Government has made a point to emphasize the need of Policies and Procedures in their HIPAA Security regulation. In fact, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires Policies and Procedures for every one of the Standards identified in the same. Even if that wasn’t enough, HIPAA Security specifies the need for Policies and Procedures under § 164.316(a).

Simply put, the law requires Covered Entities (CE) and Business Associates (BA) to:

“Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv)”.

Now we (Taino Consultants) turn to reality and what we normally see in the field. As it regards to HIPAA Security Policies and Procedures some CE’s and BA’s have no policies and procedures at all. We also see some that have policies and procedures that are not applicable to the organization. Only in a very few limited cases do we see policies and procedures that comply with the intent of the law. Perhaps part of the problem is that CE’s and BA’s do not understand the importance of HIPAA Security Policies.

Mr. Ray Dunham explained in his article titled: “Information Security Policies: Why They Are Important To Your Organization” he explained that:

“an information security policy is a statement, or a collection of statements, designed to guide employees’ behavior with regard to the security of company data, assets, IT systems, etc. These security policies define the who, what, and why regarding the desired behavior, and they play an important role in an organization’s overall security posture. Information security policies should reflect the risk appetite of executive management and therefore serve to establish an associated security mindset within an organization.

The goal when writing an information security policy is to provide relevant direction and value to the individuals within an organization.”

Mr. Dunham also provided guidelines regarding simple rules to follow when writing an organization’s security policies.

1. Understand the role of security policies in your organization. One of the primary purposes of a security policy is to provide protection – protection for your organization and for its employees.

Another critical role of security policies is to support the mission of the organization. Security professionals need to be sensitive to the needs of the business, so when writing security policies, the mission of the organization should be in the forefront of your thoughts.

2. Ensure your security policies are enforceable.  If the policy is not going to be enforced, then why waste the time and resources writing it? It is important that everyone from the CEO down to the newest of employees comply with the policies.

3. Explain how policy exceptions are handled. You’ve heard the expression, “there is an exception to every rule.” Well, the same perspective often goes for security policies. There are often legitimate reasons why an exception to a policy is needed. In cases where an exception to a policy is needed, the policy should define how approval for the exception to the policy is obtained.

4. Make your security policies brief and succinct. Each policy should address a specific topic (e.g. acceptable use, access control, etc.); it will make things easier to manage and maintain.

My take and recommendation is simple, understand that the creation and implementation of policies and procedures is not only required by the law but at the end these policies and procedures should:

  • Protect the organization
  • Increase efficiencies
  • Keep you compliant with the law


§ 164.316(a)

Information Security Policies: Why They Are Important To Your Organization by Ray Dunham