Foundations

HIPAA Policies and Procedures: What a Small Practice Actually Needs

5 min read · Last reviewed May 22, 2026

The regulatory anchor

Two sections of the regulation drive the policies-and-procedures requirement:

  • Security Rule: 45 CFR 164.316 requires the covered entity to implement reasonable and appropriate policies and procedures to comply with the Security Rule's standards and implementation specifications, and to maintain those policies for six years from the date of creation or the date last in effect, whichever is later.
  • Privacy Rule: 45 CFR 164.530(i)) requires implementation of policies and procedures with respect to PHI designed to comply with the Privacy Rule.

Both rules together set up the small-practice policy stack.

The minimum policy set

A defensible small-practice binder usually contains, at minimum, these policy documents. The exact titles do not matter; what matters is that each topic is covered.

Privacy Rule policies

Security Rule policies

  • Risk analysis methodology
  • Risk management plan
  • Sanction policy (overlaps with Privacy Rule)
  • Information system activity review (audit log review)
  • Assigned Security Responsibility
  • Workforce clearance, authorization, and termination
  • Information access management
  • Security awareness and training, including security reminders
  • Security incident procedures
  • Contingency plan: data backup, disaster recovery, emergency mode operation, testing
  • Evaluation
  • Business associate contracts
  • Facility access controls
  • Workstation use and security
  • Device and media controls
  • Access control (unique user ID, automatic logoff, emergency access, encryption)
  • Audit controls
  • Integrity
  • Authentication
  • Transmission security

Breach Notification Rule policy

  • Incident intake and four-factor analysis
  • Individual, HHS, and media notice
  • Business associate notification flow
  • Fewer-than-500 annual report procedure

Length and format

A common failure mode is policies that are encyclopedic, never read, and never followed. The Security Rule does not require a 60-page document for each topic. A defensible policy is:

  • Clearly titled
  • Dated
  • Versioned (v1, v2 with change log)
  • Approved by the Security or Privacy Official
  • One to three pages of actual procedure
  • Tied to the specific regulatory citation at the top
  • Includes who is responsible and how compliance is verified

Long policies that no one follows lose under audit. Short, accurate policies that workforce members actually use win.

Versioning and retention

164.316(b)) requires retention of policies and procedures and the implementing actions for six years from creation or the date last in effect. 164.530(j)) sets the same retention for Privacy Rule artifacts.

In practice this means:

  • Each policy file is versioned and dated.
  • The current version is signed by the Security or Privacy Official.
  • Prior versions are retained, not overwritten, for at least six years past their replacement.
  • Training records reference the policy version current at the time of training.

Annual review rhythm

The Security Rule at 164.316(b)(2)(iii)(2)(iii)) requires that policies be reviewed periodically and updated as needed. The pragmatic rhythm:

  • Annual full review by the Security or Privacy Official
  • Event-triggered review on material change (new system, new vendor, new workflow, breach, regulatory update)
  • Workforce training event after each material update

What a template should and should not be

Off-the-shelf policy templates have a use: they ensure the practice covers each topic the regulation names. They have a failure mode: practices adopt them verbatim without reflecting actual workflow, and the result is a policy that contradicts what staff actually do.

The defensible pattern is to start from a template that mirrors the regulation's structure and then edit each section to describe what the practice actually does. The audit value of a policy is in how faithfully it describes the operation, not in how comprehensively it cites regulation.

Common gaps OCR cites

Recurring findings in published Resolution Agreements:

  • Policies that reference an outdated rule (pre-Omnibus 2013 text)
  • Policies signed years ago, never refreshed
  • Policies that name a Privacy Official who left two years prior
  • Policies that contradict actual practice (e.g., a policy that says encryption is enabled when the laptop inventory shows otherwise)
  • Gap policies — the practice has a Notice of Privacy Practices but no documented sanction policy or contingency plan

The most overlooked policies

A handful of policies are missing more often than the others:

  • Information system activity review: who reviews logs, how often, what they look for, where the records live
  • Contingency plan testing: documented test results (tabletop or actual exercise)
  • Sanction policy with actual sanction records: the policy is one half; the log of imposed sanctions is the other
  • Workforce termination: documented access removal within a defined window
  • Mobile device and remote access: a small-practice policy covering personal-device use and remote work

Restraint about claims

A policy stack is a foundational element of the HIPAA program, not the whole program. No template makes a practice compliant. The practice is the substance; the policies are the documentation of what the practice does.

How D3rx fits

D3rx SRA Binder Studio assembles a policy stack tied to the Security Rule, Privacy Rule, and Breach Notification Rule citations, prompts the practice for the specifics that turn a template into an operational policy, and keeps a version history with the six-year retention in mind. It is a point-in-time administrative documentation aid; the practice remains responsible for the substance.

Next steps

See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.

Where do you stand on your SRA today?

Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR 164.316https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316
  2. 45 CFR 164.530(i)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(i
  3. 164.316(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b
  4. 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
  5. Resolution Agreementshttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

Sources verified as of May 22, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides