Select Page

HIPAA Policy and Procedure Documents for Professionals

When creating health insurance documentation, it is necessary to keep in mind the rules laid out by the HIPAA.  However, the HIPAA is a complicated law to understand, much less to create compliance documentation for. We will explain what HIPAA policies and procedures are and how Essential Data Corporation can help you keep up your documentation for them.

a healthcare worker improperly carrying medical forms, representing the importance of HIPAA policy and procedure

What is HIPAA?

Born of a need to “‘improve the portability and accountability of health insurance coverage’ for employees between jobs,” the Health Insurance Portability and Accountability Act (HIPAA) was passed on August 21, 1999. President Bill Clinton signed the HIPAA into action to protect both workers and employers. The act also combats fraud, waste, and abuse in health insurance and healthcare delivery. Furthermore, there are passages introducing tax breaks for medical savings accounts, simplifying health insurance administration, in addition to providing coverage for employees with pre-existing medical conditions (HIPAA Journal).

There are several ideas and topics that a health insurance business should know about the HIPAA.

Protected Health Information (PHI)

The HIPAA also deals with protected health information (PHI). According to the PCI portion of the HIPAA, PHI is demographic information that could identify a client of an organization subject to HIPAA regulation, including names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos. In addition, there is also ePHI — electronic protected health information. 

Covered Entities and Business Associates

There are two types of organizations that must be HIPAA compliant: Covered Entities and Business Associates. Covered Entities are organizations that collect, create, or transmit PHI electronically. They include health care providers, health insurance providers, and health care clearinghouses. Business associates are organizations that are contracted to work for a covered entity that discovers PHI. They include practice management firms, billing companies, third-party consultants, MSPs, EHR platforms, IT providers, faxing companies, physical storage providers, and more.

Who Does Not Have to Follow HIPAA?

According to the U.S. Department of Health & Human Services (HHS), organizations that do not have to follow HIPAA include life insurers, employers, and workers’ compensation carriers. Moreover, most schools and school districts do not have to comply. In addition, most law enforcement agencies, many municipal offices, and many state agencies do not have to comply either.

What are the 5 titles which make up HIPAA?

First, there is title I: Health Care Access, Portability, and Renewability. Furthermore, there is title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform. After that, there is title III: Tax-related Health Provisions Governing Medical Savings Accounts. Next, there is title IV: Application and Enforcement of Group Health Insurance Requirements. Lastly, there is title V: Revenue Offset Governing Tax Deductions for Employers 

(HIPAA Compliance Journal)

What is the HITECH Act?

To clarify and strengthen enforcement of HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in February 2009. According to Accountable, as records were increasingly becoming computerized, the need for such an act became clear. HIPAA Journal details the HIPAA penalties put into effect under HITECH.

The following table from HIPAA Journal shows the penalty amounts adjusted for cost of living increases as of November 2021.

Penalty Tier Level of
Culpability		 Minimum Penalty per Violation (adjusted
for inflation)		 Max Penalty per Violation (adjusted
for inflation)		 Annual Penalty Limit (adjusted for inflation)
Tier 1 Lack of Knowledge $120 $60,226 $30,113
Tier 2 Reasonable Cause $1,205 $60,226 $120,452
Tier 3 Willful Neglect $12,045 $60,226 $301,130
Tier 4 Willful Neglect (not corrected within 30 days) $60,226 $1,806,757 $1,806,757

What are the 4 rules of HIPAA?

There are four rules that define much of the information in the HIPAA.  The four rules of HIPAA are The Privacy Rule, The Security Rule, The Breach Notification Rule, and The Omnibus Rule. These rules are regulated by the Department of Health and Human Services and enforced by the Office for Civil Rights.

The Privacy Rule

The Privacy Rule implemented the PHI/ePHI safeguards of a patient’s right to access PHI/ePHI and the Minimum Necessary Rule.

This rule affects all healthcare organizations, providers of health plans (including employers), and healthcare clearinghouses. Since 2013, it has also covered the business associates of covered entities and subcontractors of business associates, according to Accountable.

The patient’s right to access PHI/ePHI gives them the right to obtain a copy of their health records, as well as to examine their health records.  Furthermore, they can request corrections if necessary

The Security Rule

The Security Rule deals with ePHI and consists of administrative safeguards, physical safeguards, technical safeguards, and risk assessment.

  1. Administrative safeguards involve roles and responsibilities, documentation processes, data maintenance, and training requirements
  2. Physical safeguards encompass access control systems, security systems, and policies about access to ePHI from mobile devices
  3. Technical safeguards incorporate technology and policies that protect PHI from unauthorized access

The Breach Notification Rule

The Breach Notification Rule affects business entities. According to this rule, they are required to notify affected individuals within 60 days of an information breach. However, they must also notify HHS and the media if the breach is severe.

The Omnibus Rule

The Omnibus Rule from 2012 updates all previous rules. Moreover, business associates are now liable for compliance, which is enforced by the Office for Civil Rights. However, unauthorized use or sharing of any kind is a breach.

Key Dates in HIPAA History 

(HIPAA Journal)

August 1996 HIPAA signed into law by President Bill Clinton
April 2003 Effective Date of the HIPAA Privacy Rule
April 2005 Effective Date of the HIPAA Security Rule
March 2006 Effective Date of the HIPAA Breach Enforcement Rule
September 2009 Effective Date of HITECH and the Breach Notification Rule
March 2013 Effective Date of the final Omnibus Rule

What Documents Do I Need for HIPAA Policy and Procedure Compliance?

  • A HIPAA Risk Management Plan.
  • A HIPAA Risk Analysis.
  •  PHI location documentation (map)
  • Notice of Privacy Practices
  • Information about how you’ve eliminated third party risks
  • Software development lifecycles
  • Business associate agreements
  • How the environment is coping with identified vulnerabilities
  • Breach response plan
  • Current/future goals and milestones
  • Explanations of unimplemented addressable implementation standards.
  • Work desk procedures
  • Training logs
  • Compliant processes and procedures
  • List of authorized wireless access points
  • List of all devices including physical location, serial numbers, and make/model
  • Electronic commerce agreements
  • Trading partner security requirements
  • Lists of vendors
  • Lists of employees and their access to systems
  • A diagram of your physical office, including exit locations
  • Disaster recovery book
  • Employee handbook
  • Above all, policies and procedures for the Privacy Rule, Security Rule, and Breach Notification Rule.

(SecurityMetrics)

At first glance, this list may seem exhausting, even impossible. However, technical writers can work with what you have and re-interpret it into clear, concise, and compliant documentation.

How Essential Data Corporation Can Help

EDC has a pool of qualified technical writers ready to help with your HIPAA policy and procedure documentation needs. These writers are well versed in health insurance documentation, and writing skills will ensure that you have effective and accurate documentation. Moreover, they can take what seems like a monumental task and simplify it for you. Above all, our perfect fit guarantee ensures that you will have a top-notch team that produces incredible and compliant documentation.


Whether you need a team of consultants ready to produce a complete line of documentation or a single technical writer for a brief project, Essential Data’s Engagement Manager will lead the project from start to finish. At Essential Data Corporation, we guarantee the quality of our work. Contact us today to get started at (800) 221-0093 or sales@edc.us

Written by Heidi Ripplinger