Sample HIPAA Policies

These policies are listed for reference only and should be reviewed with your lawyer before implementing them into daily practice. We are not lawyers and are not providing any legal advice. View our legal disclaimer.
Access Control Automatic Log Off
Description: Procedures to ensure automatic logoff is enable in the proper systems
Access Control Emergency Access
Description: Procedures for accessing ePHI during an emergency
Access Control Encryption
Description: Procedures to ensure automatic logoff is enable in the proper systems.
Access Control Unique User ID
Description: Assigns Unique ID to Users and establish basic responsibilities in such User.
Administrative Safeguards Policy
Description: General introduction and summary of Security Administrative Standards.
Assigned Security Responsibility (2016) Policy
Description: Identify the team member responsible for the development/implementation of the policies and procedures required by the security rule.
Assigned Security Responsibility Job Description Policy
Description: Defines the requirements for the Security Officer Job Description.
Business Associate Contract Policy
Description: Overall Policy regarding BA Contracts.
Business Associate Contract: Written Contract or Other Arrangement (Required)
Description: Policy regarding Business Associate Agreements.
Contingency Plan – Application & Data Criticality Analysis Policy (Addressable)
Description: Data criticality log and ranking of systems.
Contingency Plan – Data Backup Plan
Description: Delineates organizational procedures used to backup and store PHI.
Contingency Plan – Disaster Recovery Plan Policy
Description: Procedures to effectuate the restoration of systems and ePHI.
Contingency Plan Emergency Mode Operation Plan Policy
Description: Emergency mode operations basics.
Contingency Plan Policy
Description: Basic policy describing actions to mitigate damages in an emergency.
Contingency Plan Testing & Revision Procedure Policy (Addressable)
Description: Activities needed to conduct regular testing of disaster recovery plan.
Device & Media Controls Disposal Policy
Description: Guidelines for electronic equipment and storage media used in association of protected health information.
Device & Media Controls Media Re-use Policy
Description: Guidelines for the removal of ePHI from electronic media before the media is made available for re-use.
Device and Media Control Accountability Policy
Description: Track and logging guidelines for all hardware and devices with storage capabilities containing EPHI that is received by or removed from a sensitive area.
Device and Media Control Data Backup and Storage Policy
Description: Guidelines for electronic equipment and storage media used in association of protected health information.
Evaluation Policy
Description: Policy covering the organization's goal of obtaining satisfactory assurances from team members that he/she will safeguard ePHI.
Facility Access Control: Security Plan Policy Overview
Description: Established the overall physical security needs of the office.
Facility Access Controls – Faxes Policy
Description: Procedure for transmissions of PHI via facsimile.
Facility Access Controls – Maintenance Records Policy Addressable
Description: Explains the basic procedures as they relate to physical repairs and or modification of the facility where operations and support activities take place.
Facility Access Controls Access Control & Validation Procedures Policy
Description: Rules Necessary to grant access to information systems.
Facility Access Controls Contingency Operations Policy Addressable
Description: Describe controls to access facility, especially during emergencies.
Healthcare Clearinghouse Isolation Policy – Info Access Management
Description: Ensures information forwarded to Clearinghouses is protected.
HIPAA Security Timely Actions Policy
Description: Actions and Forms - Basic Calendar
Info Access: Management Authorization Policy Guide
Description: Limits the risk of unauthorized disclosures.
Info Access: Management Policy for Access Modification
Description: Guidelines to establish and modify access.
Integrity Policy
Description: Procedures to verify that data within the system has not been altered or destroyed without authorization
Internet Access Disclaimer Policy
Description: Used to limit liability if providing Internet access to guest.
Login Monitoring Policy: Security Awareness Training
Description: Identify unauthorized attempts to penetrate systems.
Password Management: Essential Security Training Guide
Description: Effective process for appropriately creating, changing and safeguarding passwords.
Physical Safeguards Policy
Description: One of the key elements. Covers a series of security categories needed to comply with requirements.
Security Awareness & Training: Metrics
Description: Identifies topics, gaps in training and assess training program.
Security Awareness & Training: Protection from Malicious Software
Description: Prevent security violations created by malicious software.
Security Awareness & Training: Security Reminders
Description: Communicate to the workforce changes that may affect the privacy and security.
Security Awareness & Training: Training
Description: Basics of the Security Training Program and Policies.
Security Incident Procedures: Breach Notification (Required)
Description: Describes to team members potential indicators or reportable events and what actions to take.
Security Incident Procedures: Responses & Reporting (Required)
Description: Describes to team members potential indicators or reportable events and what actions to take.
Security Management Process: Catalog and Settings
Description: Identify all hardware and software that handles ePHI and ensure security settings are available and have been activated
Security Management Process: Current Safeguards
Description: Catalog safeguards in place and risks associated or mitigated by the same.
Security Management Process: Emergency Preparedness
Description: Defines components of the Risk Analysis as they cover preparation for emergencies.
Security Management Process: Information System Activity Review Policy
Description: Describes procedures used to review records of system activity, such as audit logs, access reports, and security incident tracking reports.
Security Management Process: Information System Audit
Description: Describes procedures used to review team members access to records and login attempts.
Security Management Process: Risk Analysis (Required)
Description: Defines the Risk Analysis process and key actions regarding the same.
Security Management Process: Risk Management (Required)
Description: Defines the Risk Management Program and its purpose.
Security Management Process: Risk Management Assignment (Required)
Description: Defines assignment of individual to implement the Security Management Plan.
Security Management Process: Risk Management Update
Description: Defines the requirement to update the Management Plan and the reasons that may trigger an update.
Security Management Process: Risk Updates
Description: Defines the Risk Analysis process and key actions regarding the same.
Security Management Process: Sanction Policy (Required)
Description: Defines appropriate against team members who fail to comply with the security policies and procedures.
Security Management Process: Website Privacy Policy
Description: Information needed to be posted in website.
Security Management: Risk Analysis (Required)
Description: Steps required to assess and prioritize risk analysis.
Security Management: Risk Management (Required)
Description: Risk Management Actions.
Security Management: Whistleblowers
Description: Describes basic treatment and protection of whistleblowers.
Unauthorized Release of Protected Health Information
Description: Breach Procedures.
Use Of Voice Assistants
Description: Policy covering the use and presence of voice assistants in the work area.
Website Privacy Policy
Description: Describes how patient information collected by our website may be used.
Workforce Security: Access Control
Description: Explain access procedures to team members.
Workforce Security: Authorization and/or Supervision (Addressable)
Description: Procedures for the authorization/supervision of team members who work with ePHI or in locations where it might be accessed.
Workforce Security: Clearance Policy
Description: Procedures for the screening of new employees prior to granting authorization and access to PHI.
Workforce Security: Policy on Policies
Description: This policy addresses the process for developing, issuing and maintaining our policies and applies to all team members and associates.
Workforce Security: Termination Procedures (Addressable)
Description: Secure data from those who are no longer authorized access.
Workstation Security (Required)
Description: Implements physical security for all workstations and portable devices that access PHI.
Workstation Use (Required)
Description: Define specific uses of workstations, basic considerations and authentication.
Workstation Use: Cell phones
Description: Control use and information of cell phones.
Workstation Use: Electronic Communication
Description: Identifies the proper use of available resources.
Workstation Use: Personal Digital Assistants (PDAs)
Description: Defines use of the PDAs that connect to the office network.
Workstation Use: Remote Access & Work at Home
Description: Specifies the physical attributes of workstations located outside the confines of the main office.

Get instant access to HIPAA Compliance News and Updates

You'll get your first checklist as soon as you sign up!
overlapping hands

Our Mission

To safeguard medical data by providing secure, reliable, and fully HIPAA-compliant hosting solutions, enabling healthcare professionals to focus on their primary mission of providing care.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram