To begin with, HIPAA is a complicated law to understand, much less for which to create compliance documentation. Let’s learn together about HIPAA policies and procedures and how Essential Data Corporation can help you keep up your documentation.

a healthcare worker improperly carrying medical forms, representing the importance of HIPAA policy and procedure

What is HIPAA?

Born of a need to “‘improve the portability and accountability of health insurance coverage’ for employees between jobs,” the Health Insurance Portability and Accountability Act (HIPAA) was passed on August 21, 1999. Moreover, President Bill Clinton signed HIPPA into action. (HIPAA Journal). Moreover, HIPAA was made to protect both workers and employers. The act also combats fraud, waste, and abuse in health insurance and healthcare delivery. Furthermore, there are passages introducing tax breaks for medical savings accounts, simplifying health insurance administration. In addition, to providing coverage for employees with pre-existing medical conditions (HIPAA Journal).  

Protected Health Information (PHI)

Furthermore, HIPAA deals with protected health information (PHI). However, according to PCIHIPAA, PHI is demographic information that could identify a client of an organization subject to HIPAA regulation, including names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos. In addition, there is also ePHI — electronic protected health information. 

Covered Entities and Business Associates

Moreover, two types of organizations must be HIPAA compliant: Covered Entities and Business Associates. Covered Entities are organizations that collect, create, or transmit PHI electronically. Furthermore, it includes health care providers, health insurance providers, and health care clearinghouses. In addition, Business Associates are organizations that are contracted to work for a covered entity that come across PHI. Similarly, it includes practice management firms, billing companies, third-party consultants, MSPs, EHR platforms, IT providers, faxing companies, physical storage providers, shredding companies, cloud storage providers, attorneys, email hosting services, accountants, and more.

Who Does Not Have to Follow HIPAA?

According to the U.S. Department of Health & Human Services (HHS), organizations that do not have to follow HIPAA include life insurers, employers, workers’ compensation carriers. Moreover, most schools and school districts do not have to comply. In addition, most law enforcement agencies, many municipal offices, and many state agencies do not have to comply either.

What are the 5 titles which make up HIPAA?

First, there is title I: Health Care Access, Portability, and Renewability. Furthermore, there is title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform. Moreover, there is title III: Tax-related Health Provisions Governing Medical Savings Accounts. Similarly, there’s title IV: Application and Enforcement of Group Health Insurance Requirements. Lastly, there is title V: Revenue Offset Governing Tax Deductions for Employers 

(HIPAA Compliance Journal)

What is the HITECH Act?

To clarify and strengthen enforcement of HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in February 2009. Moreover, according to Accountable. As records were increasingly becoming computerized, the need for such an act became clear. Furthermore, the following infographic from HIPAA Journal details the HIPAA penalties put into effect under HITECH.

The following table from HIPAA Journal shows the penalty amounts adjusted for cost of living increases as of November 2021.

Penalty Tier Level of
Minimum Penalty per Violation (adjusted
for inflation)
Max Penalty per Violation (adjusted
for inflation)
Annual Penalty Limit (adjusted for inflation)
Tier 1 Lack of Knowledge $120 $60,226 $30,113
Tier 2 Reasonable Cause $1,205 $60,226 $120,452
Tier 3 Willful Neglect $12,045 $60,226 $301,130
Tier 4 Willful Neglect (not corrected within 30 days) $60,226 $1,806,757 $1,806,757

What are the 4 rules of HIPAA?

The four rules of HIPAA are The Privacy Rule, The Security Rule, The Breach Notification Rule, and The Omnibus Rule. Furthermore, these rules are regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights.

The Privacy Rule

Firstly, this rule has affected all healthcare organizations, providers of health plans (including employers), healthcare clearinghouses. However, since 2013, it has covered the Business Associates of covered entities and subcontractors of business associates, according to Accountable.

Moreover, the Privacy Rule implemented the PHI/ePHI safeguards of the Patients’ right to access PHI/ePHI and the Minimum Necessary Rule.

Furthermore, the patients’ right to access PHI/ePHI gives them the rights to obtain a copy of their health records. In addition, to examine their health records. Moreover, the can request corrections if necessary

In other words, the Minimum Necessary rule is pretty self-explanatory: employees working with PHI only have access to the very minimum amount of PHI that allows them to perform their work.

The Security Rule

Secondly, the Security Rule deals with ePHI and consists of administrative safeguards, physical safeguards, technical safeguards, and risk assessment (Accountable).

  1. Furthermore, administrative safeguards involve roles and responsibilities, documentation processes, data maintenance, and training requirements
  2. In addition, physical safeguards encompass access control systems, security systems, and policies about access to ePHI from mobile devices
  3. However, technical safeguards incorporate technology and policies that protect PHI from unauthorized access

The Breach Notification Rule

Thirdly, the Breach Notification Rule affects business entities. Therefore, they are required to notify affected individuals within 60 days of a breach. However, they must also notify HHS and the media if it’s severe (Accountable).

The Omnibus Rule

Lastly, the Omnibus Rule from 2012 updates all previous rules (Accountable). Moreover, business associates are now liable for compliance, which is enforced by the Office for Civil Rights. However, unauthorized use or sharing of any kind is a breach.

Key Dates in HIPAA History 

(HIPAA Journal)

August 1996 HIPAA signed into law by President Bill Clinton
April 2003 Effective Date of the HIPAA Privacy Rule
April 2005 Effective Date of the HIPAA Security Rule
March 2006 Effective Date of the HIPAA Breach Enforcement Rule
September 2009 Effective Date of HITECH and the Breach Notification Rule
March 2013 Effective Date of the final Omnibus Rule

Moreover, What Documents Do I Need for HIPAA Policy and Procedure Compliance?

  • First, you need a HIPAA Risk Management Plan.
  • Moreover, you also need a HIPAA Risk Analysis.
  • After that, you’ll need PHI location documentation (map)
  • Notice of Privacy Practices
  • In addition, how you’ve eliminated third party risks
  • Software development lifecycles
  • Business associate agreements
  • How the environment is coping with identified vulnerabilities
  • Breach response plan
  • Current/future goals and milestones
  • Explanations of unimplemented addressable implementation standards.
  • Work desk procedures
  • Training logs
  • Compliant processes and procedures
  • List of authorized wireless access points
  • List of all devices including physical location, serial numbers, and make/model
  • Electronic commerce agreements
  • Trading partner security requirements
  • Lists of vendors
  • Lists of employees and their access to systems
  • Moreover, a diagram of your physical office, including exit locations is helpful.
  • Disaster recovery book
  • Employee handbook
  • Above all, policies and procedures for the Privacy Rule, Security Rule, and Breach Notification Rule.


At first glance, this exhaustive list may seem exhausting, even impossible. However, technical writers can work with what you have and make it into clear, concise, and compliant documentation.

How Essential Data Corporation Can Help

In conclusion, EDC has a pool of qualified technical writers ready to help with your HIPAA policy and procedure documentation needs. These writers are well versed and subject matter experts. Moreover, they can take what seems like a monumental task and simplify it for you. Above all, our perfect fit guarantee ensures that you will have a top-notch team that produces incredible and compliant HIPAA policy and procedure documentation.

Lastly, we have a team of consultants ready to produce a complete line of documentation. Perhaps you may only need a single technical writer for a brief project. Either way Essential Data’s Engagement Manager will lead the project from start to finish. At Essential Data Corporation, we guarantee the quality of our work. Contact us today to get started. (800) 221-0093 or

Written by Heidi Ripplinger