HIPAA Policies and Procedures: A Complete Template Guide

The number one finding in OCR investigations is not a technical failure — it is missing or inadequate documentation. Your HIPAA policies and procedures are not just compliance artifacts; they are the evidence that your organization takes patient data protection seriously.

HIPAA policies and procedures form the documented foundation of your compliance program. The Privacy Rule, Security Rule, and Breach Notification Rule all require covered entities and business associates to maintain written policies governing how protected health information is handled, secured, and disclosed. Without these documents, you cannot demonstrate compliance to the Office for Civil Rights (OCR), cannot consistently train your workforce, and cannot defend your organization in the event of a breach investigation.

This guide covers why HIPAA requires written documentation, the complete list of required policies organized by rule, template guidance for major policy types, the critical distinction between policies and procedures, common documentation mistakes, and how to maintain policies over time.

Why HIPAA Requires Written Policies

HIPAA's requirement for written policies serves three purposes:

1. Governance — Policies establish your organization's commitment to privacy and security, define acceptable behavior, and create accountability
2. Operational consistency — Procedures ensure that workforce members handle PHI consistently, regardless of who performs the task
3. Audit evidence — During OCR investigations or customer security reviews, written policies are the primary evidence of your compliance program's existence and effectiveness

The regulatory basis is explicit: the Security Rule (§164.316) requires policies and procedures to be maintained in written form, retained for six years, and made available to workforce members responsible for implementing them. The Privacy Rule (§164.530) requires similar documentation for privacy practices.

Consequences of Missing Documentation

OCR enforcement actions regularly cite inadequate or missing policies as violations. Penalties range from $100 to $50,000 per violation (per record), up to $1.5 million per year for each violation category. In practice, missing policies compound other violations — if a breach occurs and you cannot produce documented policies showing how PHI should have been protected, the penalty calculus is significantly worse.

Required HIPAA Policies List

Privacy Rule Policies

Policy	Requirement	Key Content
Notice of Privacy Practices	§164.520	How you use and disclose PHI, patient rights, complaint process
Minimum Necessary Use	§164.502(b)	Limiting PHI access and disclosure to the minimum necessary for each purpose
Patient Access Rights	§164.524	How patients can access, inspect, and obtain copies of their PHI
Amendment Requests	§164.526	Process for patients to request amendments to their PHI
Accounting of Disclosures	§164.528	Tracking and reporting disclosures of PHI beyond treatment, payment, and operations
Authorization	§164.508	When and how to obtain patient authorization for non-routine disclosures
De-identification	§164.514	Methods for removing identifiers from PHI for research or other uses

Security Rule Policies

Policy	Requirement	Key Content
Risk Assessment	§164.308(a)(1)	Methodology for conducting security risk assessments
Access Control	§164.312(a)	User access management, unique IDs, emergency access, automatic logoff
Workforce Security	§164.308(a)(3)	Authorization, supervision, clearance procedures, and termination
Information Access Management	§164.308(a)(4)	Access authorization, establishment, and modification
Security Awareness and Training	§164.308(a)(5)	Training program, security reminders, password management, malware protection
Incident Response	§164.308(a)(6)	Incident identification, response, mitigation, and documentation
Contingency Planning	§164.308(a)(7)	Data backup, disaster recovery, emergency mode operations
Device and Media Controls	§164.310(d)	Media disposal, reuse, accountability, and data backup/storage
Audit Controls	§164.312(b)	System activity logging, monitoring, and review
Data Integrity	§164.312(c)	Mechanisms to protect ePHI from improper alteration or destruction
Transmission Security	§164.312(e)	Integrity controls and encryption for ePHI in transit
Business Associate Management	§164.308(b)	BAA requirements, vendor assessment, ongoing oversight

Breach Notification Rule Policies

Policy	Requirement	Key Content
Breach Notification	§164.400-414	Breach identification, risk assessment, notification timelines (60 days for 500+), documentation
Breach Investigation	§164.402	Four-factor risk assessment to determine if notification is required

For the technical implementation behind these policies, see our HIPAA cybersecurity requirements guide.

Policy Template Guidance

Each policy should follow a consistent structure:

Standard Policy Template Structure

1. Policy Title and Identifier — Unique identifier for version control
2. Purpose — Why the policy exists (1-2 sentences)
3. Scope — Who and what the policy applies to
4. Policy Statement — The actual policy requirements (what must be done)
5. Roles and Responsibilities — Who is accountable for what
6. Related Procedures — Links to specific procedures implementing the policy
7. Definitions — Key terms used in the policy
8. Enforcement — Consequences of non-compliance
9. Review Schedule — When and how the policy is reviewed
10. Approval — Signatures, dates, version history

Example: Access Control Policy

Purpose: To ensure that access to electronic protected health information (ePHI) is restricted to authorized workforce members based on their role and job function.

Policy Statement:

• All workforce members must be assigned a unique user identifier before accessing systems containing ePHI
• Access permissions must be granted based on the minimum necessary principle — workforce members receive access only to the ePHI required for their specific job function
• Multi-factor authentication is required for all remote access to systems containing ePHI
• Workforce member access must be reviewed quarterly by department managers
• Access must be revoked within 24 hours of employment termination or role change

Procedures: Access request procedure, quarterly access review procedure, termination access revocation procedure.

For comparison with SOC 2 policy writing, see our SOC 2 policy writing guide — many principles transfer directly to HIPAA policies.

Procedures vs. Policies

Understanding the distinction between policies and procedures is critical for HIPAA compliance — OCR evaluates both separately.

Dimension	Policy	Procedure
Answers	What and why	How
Level	Organizational/strategic	Operational/tactical
Audience	All workforce members	Specific role or function
Example	"All ePHI must be encrypted at rest"	"To enable encryption on new databases: Step 1: Open AWS console... Step 2: Enable default encryption..."
Change Frequency	Annually or when regulations change	As operations or tools change
Approval	Senior leadership/compliance officer	Department manager/technical lead

Why Both Are Required

A policy without procedures is a statement of intent without execution guidance. A procedure without a policy lacks organizational authority and governance context. HIPAA requires both: the policy establishes the rule, and the procedure ensures consistent execution.

Common Documentation Mistakes

Generic Policies Not Tailored to Your Organization

Downloading a template and adding your logo is not compliance. OCR investigators compare your policies against your actual operations — if the policy describes processes that do not exist in your organization or references systems you do not use, it undermines your compliance posture.

Missing Review Dates and Version History

Every policy must show when it was last reviewed, who approved it, and what version it is. Missing review dates suggest the policy was written once and forgotten — exactly the opposite of what HIPAA's continuous compliance model requires.

No Evidence of Implementation

Policies must be implemented, not just documented. You need evidence that workforce members have read and acknowledged policies, that training has been conducted, and that the procedures described in your policies are actually followed in practice.

Policies That Conflict with Actual Practice

If your access control policy states quarterly access reviews but you have never conducted one, you have created evidence of non-compliance. Only document what you actually do or are committed to implementing within a defined timeline.

Treating Policies as a One-Time Exercise

HIPAA compliance is ongoing. Policies created for an initial compliance push and never updated become increasingly disconnected from actual operations, creating growing compliance risk.

Maintaining Policies Over Time

Annual Review Process

• Schedule annual policy reviews on a fixed calendar (many organizations align with their fiscal year or HIPAA anniversary)
• Assign policy owners responsible for reviewing and updating specific policies
• Document the review even if no changes are made — a reviewed-and-affirmed policy is different from a neglected one
• Update policies when regulations change, incidents occur, or operations change significantly

Version Control

Maintain version history for every policy showing the date of each revision, what changed, who approved the change, and the rationale. This history demonstrates continuous compliance to OCR investigators.

Workforce Acknowledgment

Require all workforce members to acknowledge they have read and understood applicable policies, typically during onboarding and annually thereafter. Maintain records of these acknowledgments as evidence that policies have been communicated.

Triggering Events for Policy Updates

Beyond annual review, update policies immediately when:

• HIPAA regulations or OCR guidance changes
• A breach or security incident reveals gaps in existing policies
• Your organization undergoes significant operational changes (new systems, new business lines, mergers/acquisitions)
• New workforce roles are created that require different PHI access patterns

For startups building their HIPAA program from scratch, see our HIPAA compliance guide for startups.

Need help developing HIPAA-compliant policies and procedures? Contact Agency for policy templates tailored to your organization's operations and compliance requirements.