Red Flags for HIPAA Policy Compliance

Red Flags for HIPAA Policy Compliance

By Kelly McLendon, RHIA, CHPS

Health information management (HIM) professionals tend to take for granted that written policies and procedures are required to comply with the full scope of HIPAA’s Privacy and Security rules.

However, HIPAA and similar regulations are long and technically complex, which can make it a daunting task to institute and maintain a fully compliant set of policies.

There have been few efforts to standardize policies—or the content they should contain—to address HIPAA compliance for covered entities (CE) and business associates (BA). It’s up to each organization to determine what policies it needs and get them implemented. But beware red flags that can attract unwanted attention from the Office for Civil Rights (OCR). OCR has specific rules about mandated policy documentation, which are used as key evaluation materials.

This article looks at the 10 most common red flags for HIPAA policy compliance.

Red Flag #1: Policies and procedures are not searchable

Searchability is critical for two reasons:

  • OCR investigations often require procurement of specific policies.
  • The ability to surface the appropriate policies and procedures is essential to effective workforce training.

Finding the correct content is often difficult because different methods of storage and indexing do not always tie types of policies together well (e.g., it may be difficult to find all HIPAA-related privacy policies). HIM departments should implement defined processes to create, maintain, and use all content associated with job roles as well as the wider compliance programs they are associated with.

Red Flag #2: Policies and procedures are not well formatted or indexed

Policies are different from—but related to—procedures. Policies are more generalized whereas procedures are more granular. Whether policies are included in the same document as procedures is not mandated by HIPAA—that is an organizational decision. Indexing should include names descriptive of their purpose and version-controlled documentation.

Red Flag #3: Unclear and non-standardized formatting of policy document sections

Formatting that identifies the title, effective dates, revision versions, approvals, target workforce members, purpose, policy discussion, related forms, procedures, and references should all have their own headings and clearly identified structure.
Healthcare organizations can develop their own formatting and indexing procedures. However, there are numerous resource vendors that offer specialized HIPAA policy and procedure templates and compliance document templates that can be customized to the format of your organization’s existing policies and procedures.

Red Flag #4: Policy and procedure documents too long and complex

HIM departments should be concise, logical, and deliberate in the creation and maintenance of all policy and procedure documentation.

For example, some organizations index their policies and procedures as standalone documents. Other organizations include some procedures in policy documents, along with more granular details in other procedure documentation.
Where policy documents end and procedure documents begin is not mandated; any logical system can be used. Best practice is to keep policies separate from most procedures and include interrelated links.

Many times, policy documents may have an overview or links to more detailed procedures, which can increase usability and convenience. Procedures may change based on regulatory guidance or changes in supporting processes or software applications. Procedures may need to be updated and formatted with more flexibility than the broader policy documents. Take this into account when creating the structure in relationship between policy and procedure documentation to avoid dysfunction during maintenance or updates.

Additionally, HIM departments should try to keep each policy document within four pages—although that can be tricky with highly complex subjects, such as protected health information (PHI) disclosures and data breaches.

Red Flag #5: Approval processes are inefficient

The formal process for the creation, implementation, and ongoing maintenance of policies and procedures is often dictated by the size and complexity of the organization. In large organizations, information governance determines formats, approvals, implementations, and review schedules. In small organizations, the process may be controlled by an individual or a small team. It is important to have a structure where all policies are written, approved, dated, version-controlled, and stored for at least six years after their effective date.

Master Privacy and Security Templates


  • Privacy Risk Analysis (Gap Assessment) Policy
  • Documentation for Security and Privacy Compliance
  • Appropriate Access to PHI by Workforce
  • Confidentiality of PHI
  • Minimum Necessary, Limited DataSet, De-Identification
  • Designated Record Set
  • Individual (Patient) Access to PHI
  • Disclosure of PHI
  • Fax Policy
  • Request for Amendment of PHI
  • Request to Restrict Use and Disclosure of PHI
  • Accounting of Disclosures
  • Use and Disclosure for Marketing and Fundraising
  • Authorization for use and Disclosure of PHI for Research Purposes
  • Audit Controls, Access and Privacy Monitoring
  • Security and Privacy Compliance Master Program (Plan) and Notice of Privacy Practices (Plan)
  • Complaints, Privacy Internal and External
  • Breach Determination and Reporting Policy
  • Mitigation of Improper Use or Disclosure
  • Sanctions, Enforcement and Discipline
  • Investigations by HHS – OCR – Other
  • Digital Copier and Device Privacy
  • HIPAA Privacy & Security Workforce Training
  • Email and Internet Use Policy
  • Business Associate Master Policy
  • Business Associate Master Policy for BA or BA Sub-contractor
  • Photo, Video, Non-text Mgmt
  • Risk Management Plan



  • Security Risk Analysis
  • Security Compliance Program (Plan)
  • Authorization to Access and Acceptable Use of Organization Equipment and Proprietary Information Including ePHI
  • Workforce Security Clearance
  • Workforce Termination
  • Physical Security Policy
  • Malware, Hacking and Ransomware Protection
  • Log-in Monitoring
  • Password and Logon Management
  • Security Incident Management
  • Business Continuity, Data Criticality, Back-up, Disaster Recovery
  • Emergency Access
  • Hardware, Media, Mobile Devices, IoT, Medical Devices and Asset Management
  • Automatic Log-off
  • Workstation Security and Use
  • Authentication and Unique ID
  • Access Controls and Data Classification
  • Emergency Plan Testing and Update
  • Integrity Controls Including Encryption, Wireless Connections, Network Management and Data Loss Prevention
  • Maintenance Records Related to Security
  • Cloud Web Hosting and Third Party Software Applications
  • Record Retention



Red Flag #6: Tracking of who was trained on which policies and procedures is never or infrequently performed

HIPAA rules require that workforce members be trained on current, comprehensive policies and procedures. The documentation of who was trained when and on what should be stored for six years.

Red Flag #7: Policy manuals for privacy and security are printed out and have dust on them

Hard copy versions of policy and procedure documents are not required by HIPAA, but some sites still use them. There are stories of regulators being handed dusty, unused policies, especially in physicians’ practices, which would indicate they are not being used for training or staff lookup (oops). But paper is no longer needed for master policy management. In fact, printing and collating is a time-consuming process that is unnecessary, unless the hard copy has to be used for training. Having policies in a central location that is known and used by staff is far preferable to a few hard copies. Over time it has become commonplace to create all policies online and to use workflow to get them approved, including electronic approval processes and workflows. The copies must be well indexed and sorted into virtual folders or pre-set searches for easier retrieval.

Red Flag #8: Going it alone

It is possible for organizations to create privacy and security polices from scratch, but it’s rare. Typically, a concerted effort to build policies, usually with third-party guidance, is undertaken to get an organization’s policies implemented.

Policy-creation resources are available online for free, but it’s advisable to consider a specialized consultant. The point is to get the polices and procedures to capture as much regulatory and best practice content as possible.

Regulatory content is not hard; taking the HIPAA rules line by line can produce that. However, best practices—the operational glue that holds operational processes together—is harder to come by.

Many healthcare consultants and sources of HIPAA policy templates tend to break down into approximately 20 to 25 policy templates per rule. (See sidebar for a list of suggested policies.)

Red Flag #9: Policies are outdated

Policy documents with review dates that are not reflected in the document or policies that are several years old with no indication of review can count toward financial penalties. Policies must be reviewed on a regular basis, the timeframe for which is not defined within the rules. But a common best practice is to review them annually or bi-annually at the longest. Whatever time frame is chosen should be well documented within an information governance program policy and consistently performed, including sign-off and version updates/review being noted. Under HIPAA it is required to address adding new or updated language for policies whenever there have been changes in rules (or guidance) that introduces material changes to processes which then must be updated in policy and procedure.

Red Flag #10: Policies lack security risk analysis or privacy compliance assessments

Security risk analysis (SRA) and assessments of privacy program should include questions about policies for each part of the HIPAA rules. Any missing policies and processes or content must be placed on a prioritized remediation list to be addressed in order of importance. SRA, which is a form of security program assessment as well as privacy assessment, are typically 100-200 questions each that may be answered with “yes” and “no”–type answers, along with comments and attachments. These assessments are typically performed with application software or spreadsheet-based tracking of answers and hopefully prioritized remediation lists. The answers to the questions many times produce scoring, although there is no specific score needed to “pass” for HIPAA compliance. The use of scoring assists facilities to measure their own progress toward heightened compliance with the entire privacy and security rule sets.

Having well-thought out, documented, indexed policies and their associated procedures is critical for HIPAA compliance, especially given the fact that they are requested for nearly every OCR investigation. Additionally, the polices must not be ignored or hard to find. Each workforce member should know where the polices and procedures are stored and how to access them. Using the policies themselves for workforce member training is also essential and the best way to impart all of the requirements each one addresses. A best practice is to discuss one different policy at each workforce member meeting. Not only does this uncover areas that are not well understood, often it can lead to changes that foster better compliance—and that is goal of any well functioning HIPAA program.


Kelly McLendon ( has been a HIM practitioner for over 40 years with a specialization in electronic medical records, privacy, and security for as long as they have existed. He is a founder of CompliancePro Solutions.

Continuing Education Quiz

Review quiz questions and take the quiz based on this article, available online.

  • Quiz ID: Q2049105
  • Expiration Date: May 1, 2021
  • HIM Domain Area: Privacy and Security
The full HIPAA Privacy Rule and HIPAA Security Rule can be found at

1 Comment

  1. Excellent and very timely article.

Comments are closed.