HIPAA Policy Templates

Core policies required for HIPAA compliance. Customize each section for your organization's specific environment and workflows.

Policy 1: Access Control Policy

Satisfies: 45 CFR §164.312(a)(1), §164.308(a)(3), §164.308(a)(4)

1.1 Purpose

To establish standards for granting, modifying, and revoking access to electronic Protected Health Information (ePHI) based on job function and the principle of least privilege.

1.2 Scope

This policy applies to all workforce members, contractors, and third parties who access systems containing ePHI.

1.3 Policy

• All users shall be assigned a unique user ID before being granted access to systems containing ePHI.
• Access rights shall be granted based on the minimum necessary standard — users shall only access the ePHI required to perform their job duties.
• Access requests must be approved by the user's manager and the HIPAA Security Officer.
• User access shall be reviewed at least quarterly and upon any change in job role or employment status.
• Access shall be revoked immediately upon termination and within 24 hours of a role change that no longer requires access.
• Multi-factor authentication (MFA) shall be required for all remote access to systems containing ePHI.
• Automatic session timeout shall be configured to lock workstations after 15 minutes of inactivity.

1.4 Emergency Access

In emergency situations, temporary elevated access may be granted by the HIPAA Security Officer. All emergency access events shall be logged, reviewed within 24 hours, and documented.

Policy 2: Data Backup and Recovery Policy

Satisfies: 45 CFR §164.308(a)(7)(ii)(A), §164.308(a)(7)(ii)(B)

2.1 Purpose

To ensure the availability and recoverability of ePHI through regular backups and tested recovery procedures.

2.2 Policy

• All systems containing ePHI shall be backed up at least daily.
• Backups shall be encrypted using AES-256 or equivalent encryption at rest and in transit.
• Backup copies shall be stored in a geographically separate location from the primary data center.
• Backup integrity shall be verified automatically after each backup cycle.
• Full disaster recovery tests shall be conducted at least annually, with results documented.
• Recovery Time Objective (RTO): ePHI systems shall be recoverable within _____ hours.
• Recovery Point Objective (RPO): Maximum acceptable data loss is _____ hours.
• Backup logs shall be reviewed weekly by the IT team and monthly by the HIPAA Security Officer.

Policy 3: Incident Response Policy

Satisfies: 45 CFR §164.308(a)(6), §164.404, §164.408, §164.406

3.1 Purpose

To establish procedures for detecting, responding to, and recovering from security incidents and breaches involving ePHI.

3.2 Definitions

• Security Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of ePHI.
• Breach: An impermissible use or disclosure of PHI that compromises the security or privacy of the PHI.

3.3 Incident Response Procedures

1. Detection & Reporting: All workforce members must report suspected incidents to the HIPAA Security Officer within 1 hour of discovery via [reporting channel].
2. Containment: The Security Officer shall immediately assess the incident and take steps to contain and limit the scope of the incident.
3. Investigation: A formal investigation shall be initiated within 24 hours. The investigation shall determine:
   • What ePHI was involved
   • Who accessed or received the ePHI
   • Whether the ePHI was actually acquired or viewed
   • The extent to which risk has been mitigated
4. Risk Assessment: Apply the four-factor breach risk assessment per 45 CFR §164.402:
   • Nature and extent of PHI involved
   • The unauthorized person who received or accessed the PHI
   • Whether PHI was actually acquired or viewed
   • Extent to which risk has been mitigated
5. Notification: If a breach is confirmed:
   • Notify affected individuals within 60 days of discovery
   • Notify HHS — immediately if 500+ individuals affected, annually if fewer
   • Notify media if 500+ residents of a state/jurisdiction are affected
6. Remediation: Implement corrective actions to prevent recurrence and update the risk register.

Policy 4: Workforce Training Policy

Satisfies: 45 CFR §164.308(a)(5)(i), §164.530(b)

4.1 Purpose

To ensure all workforce members understand their responsibilities for protecting PHI and ePHI.

4.2 Policy

• All new workforce members shall complete HIPAA training within 30 days of hire.
• All workforce members shall complete refresher training annually.
• Training shall cover:
  • What constitutes PHI and ePHI
  • Permitted uses and disclosures
  • Patient rights under HIPAA
  • Organization's privacy and security policies
  • How to identify and report security incidents
  • Consequences of policy violations (sanctions)
  • Phishing awareness and social engineering
  • Proper workstation and mobile device security
• Training completion shall be documented and records retained for 6 years.
• Role-specific training shall be provided for workforce members with elevated access to ePHI (IT staff, clinical staff, billing staff).
• Additional training shall be provided when there are material changes to policies or procedures.

Policy 5: Device and Media Disposal Policy

Satisfies: 45 CFR §164.310(d)(2)(i), §164.310(d)(2)(ii)

5.1 Purpose

To ensure that ePHI is properly destroyed when hardware or electronic media is disposed of or re-used.

5.2 Policy

• All electronic media containing ePHI shall be sanitized before disposal or re-use using NIST SP 800-88 guidelines.
• Hard drives shall be degaussed and/or physically destroyed.
• Solid-state drives shall be cryptographically erased or physically destroyed.
• Paper records containing PHI shall be cross-cut shredded.
• A disposal log shall be maintained documenting:
  • Date of disposal
  • Description of media/device
  • Serial number or asset tag
  • Method of destruction
  • Person responsible
• Third-party disposal vendors must sign a BAA and provide a certificate of destruction.