What is a HIPAA Policies and Procedures Manual?

Uncategorized Jul 03, 2021

It’s time for everybody's favorite subject when it comes to medical practices: HIPAA and HIPAA compliance!


So, I know it's not your favorite. I know it's not my favorite either but it's something we've got to do, much like paying taxes and paying bills. Let's find out how we can do it wisely and review what you need to do to comply with your HIPAA obligations.


Once you set it up, maintaining compliance is, at times, easy, but also easy to forget. So, as we're approaching Independence Day weekend here, let’s take this opportunity to get our compliance requirements in check.


Why during a holiday weekend?

Typically, at my wife's practice, we see a little bit of a slowdown as families go on vacation and patients aren't necessarily around, particularly now that people are going on vacations again. So what I recommend to all of my providers is to take a few hours this weekend or one of the days in this slow period in the first week of July, and the July 4 timeframe, and mark on your calendar every year to go through your HIPAA Policies and Procedures Manual and perform a self audit.


So, if you don't know what a Policies and Procedures Manual is, that's a problem, because you need to have one--it's a requirement under HIPAA. A covered entity must have both privacy and security policies and procedures written down somewhere. It doesn't have to be a printed binder, but it does have to be written down, even in an electronic file, and you have to know where it is and your staff or your workforce do have to know where it is and what it contains.


So let’s review what it is, what should it contain, and how to maintain it throughout the year.


Again, I know it isn’t fun, so I recommend picking a time or a few times throughout the year for reviews of your HIPAA compliance plan. And as you get further along in your practice, you will likely notice that patients come in waves at different times of the year. For instance, January-march tends to be really busy for our office. But July tends to be on the lighter side. So pick any time in the year and set it on your calendar to just check in with HIPAA. You should be creating a culture of compliance in your workforce throughout the year. However, it is important to sit down and actually just go through and make sure it all is still relevant, perform your required self-audits, and identify and remedy any gaps.


Here are the main elements of HIPAA compliance:



A self-audit is the number one maintenance thing you can do as a HIPAA or HIPAA privacy and or security officer who's in charge of the compliance at your practice. You need to review everything that you do as a practice (covered entity) and make sure that the safeguards you have in place are securing the protected health information or PHI and making sure that those policies and procedures that you've adopted and are implementing daily do still adhere to HIPAA standards. If they do not, that's called in the gap.


Gap Identification and Remediation Plan 

So during that self-audit, you will identify gaps in your plan, and you will remedy or put a remediation plan in your practice. So doing a self-audit is step number one, identifying the gaps and fixing them. Step number two, and in the process of fixing them you may need to revise.


Policies and Procedures

Your policies and procedures manual is really just a framework for how you're going to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rules. They must be tailored to your business and reviewed, and if necessary, updated annually.


Workforce Training

Part of your manual helps you ensure employees or members of your workforce are trained on HIPAA at least annually. So that's another requirement of HIPAA, and it's a good idea to just have them review at the very least, have them review your policies and procedures manual upon hiring, and then trained annually.


Business Associates

Each year, covered entities must make sure that they are following up with all of their business associates. The Office for Civil Rights (OCR) has said that it's not enough just to have a business associate agreement in place and then never think about it again, you have to kind of get some assurances from them that they are also following HIPAA, as well.


Incident Response Plan

Breaches affecting PHI must be reported to the Department of Health and Human Services (HHS) and OCR. In addition, you will need to notify the affected patients. There are some situations where you have to even alert, the local media so that they can disseminate the information more widely.



Find a time of year to annually review your HIPAA Policies and Procedures Manual.

I recommend making it a habit and putting it in your calendar each year.

If you need to get your Policies and Procedures Manual you can pick up the Functional Lawyer Template and get your HIPAA plan done the right way.

And if you are still unsure about HIPAA or what you're doing today, you can always reach out to us or set up a consultation with me here.

Stay safe. Don't blow up any digits over the holiday weekend. Protect your body and your practice this week. See you soon!


50% Complete

Download your FREE guide 

Enter your information below to receive your guide. It will be delivered to your inbox shortly.