HIPAA Policies and Procedures: What a Small Practice Actually Needs
5 min read · Last reviewed May 22, 2026
The regulatory anchor
Two sections of the regulation drive the policies-and-procedures requirement:
- Security Rule: 45 CFR 164.316 requires the covered entity to implement reasonable and appropriate policies and procedures to comply with the Security Rule's standards and implementation specifications, and to maintain those policies for six years from the date of creation or the date last in effect, whichever is later.
- Privacy Rule: 45 CFR 164.530(i)) requires implementation of policies and procedures with respect to PHI designed to comply with the Privacy Rule.
Both rules together set up the small-practice policy stack.
The minimum policy set
A defensible small-practice binder usually contains, at minimum, these policy documents. The exact titles do not matter; what matters is that each topic is covered.
Privacy Rule policies
- Use and disclosure of PHI, including treatment, payment, and operations
- Minimum necessary
- Authorization for non-permitted uses
- Notice of Privacy Practices: drafting, posting, distributing
- Patient right of access to designated record set
- Patient right to amend
- Patient right to an accounting of disclosures
- Patient right to request restrictions and confidential communications
- Marketing and sale of PHI
- Fundraising
- Personal representatives and deceased individuals
- Verification of identity for disclosures
- Designated Record Set definition
- Privacy Official designation
- Complaint procedure
- Sanction policy
- Mitigation
- Workforce training
- Documentation retention
Security Rule policies
- Risk analysis methodology
- Risk management plan
- Sanction policy (overlaps with Privacy Rule)
- Information system activity review (audit log review)
- Assigned Security Responsibility
- Workforce clearance, authorization, and termination
- Information access management
- Security awareness and training, including security reminders
- Security incident procedures
- Contingency plan: data backup, disaster recovery, emergency mode operation, testing
- Evaluation
- Business associate contracts
- Facility access controls
- Workstation use and security
- Device and media controls
- Access control (unique user ID, automatic logoff, emergency access, encryption)
- Audit controls
- Integrity
- Authentication
- Transmission security
Breach Notification Rule policy
- Incident intake and four-factor analysis
- Individual, HHS, and media notice
- Business associate notification flow
- Fewer-than-500 annual report procedure
Length and format
A common failure mode is policies that are encyclopedic, never read, and never followed. The Security Rule does not require a 60-page document for each topic. A defensible policy is:
- Clearly titled
- Dated
- Versioned (v1, v2 with change log)
- Approved by the Security or Privacy Official
- One to three pages of actual procedure
- Tied to the specific regulatory citation at the top
- Includes who is responsible and how compliance is verified
Long policies that no one follows lose under audit. Short, accurate policies that workforce members actually use win.
Versioning and retention
164.316(b)) requires retention of policies and procedures and the implementing actions for six years from creation or the date last in effect. 164.530(j)) sets the same retention for Privacy Rule artifacts.
In practice this means:
- Each policy file is versioned and dated.
- The current version is signed by the Security or Privacy Official.
- Prior versions are retained, not overwritten, for at least six years past their replacement.
- Training records reference the policy version current at the time of training.
Annual review rhythm
The Security Rule at 164.316(b)(2)(iii)(2)(iii)) requires that policies be reviewed periodically and updated as needed. The pragmatic rhythm:
- Annual full review by the Security or Privacy Official
- Event-triggered review on material change (new system, new vendor, new workflow, breach, regulatory update)
- Workforce training event after each material update
What a template should and should not be
Off-the-shelf policy templates have a use: they ensure the practice covers each topic the regulation names. They have a failure mode: practices adopt them verbatim without reflecting actual workflow, and the result is a policy that contradicts what staff actually do.
The defensible pattern is to start from a template that mirrors the regulation's structure and then edit each section to describe what the practice actually does. The audit value of a policy is in how faithfully it describes the operation, not in how comprehensively it cites regulation.
Common gaps OCR cites
Recurring findings in published Resolution Agreements:
- Policies that reference an outdated rule (pre-Omnibus 2013 text)
- Policies signed years ago, never refreshed
- Policies that name a Privacy Official who left two years prior
- Policies that contradict actual practice (e.g., a policy that says encryption is enabled when the laptop inventory shows otherwise)
- Gap policies — the practice has a Notice of Privacy Practices but no documented sanction policy or contingency plan
The most overlooked policies
A handful of policies are missing more often than the others:
- Information system activity review: who reviews logs, how often, what they look for, where the records live
- Contingency plan testing: documented test results (tabletop or actual exercise)
- Sanction policy with actual sanction records: the policy is one half; the log of imposed sanctions is the other
- Workforce termination: documented access removal within a defined window
- Mobile device and remote access: a small-practice policy covering personal-device use and remote work
Restraint about claims
A policy stack is a foundational element of the HIPAA program, not the whole program. No template makes a practice compliant. The practice is the substance; the policies are the documentation of what the practice does.
How D3rx fits
D3rx SRA Binder Studio assembles a policy stack tied to the Security Rule, Privacy Rule, and Breach Notification Rule citations, prompts the practice for the specifics that turn a template into an operational policy, and keeps a version history with the six-year retention in mind. It is a point-in-time administrative documentation aid; the practice remains responsible for the substance.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR 164.316https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316
- 45 CFR 164.530(i)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(i
- 164.316(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.316#p-164.316(b
- 164.530(j)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530#p-164.530(j
- Resolution Agreementshttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
HIPAA Training Requirements for a Small Practice
5 min readFoundationsHIPAA Security Rule vs Privacy Rule: A Plain-English Map
5 min readVendors and BAAsBAA Vendor List: Which Vendors a Small Practice Needs to Sign With
5 min readAudits and EnforcementThe HIPAA Breach Notification Rule, Explained
6 min readRelated across the archive
- SRAHIPAA Training Requirements for a Small PracticeWhat 45 CFR 164.530(b) and 164.308(a)(5) require for HIPAA workforce training, plus a realistic cadence and documentation approach for a small practice.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- SRABAA Vendor List: Which Vendors a Small Practice Needs to Sign WithA working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- ComplianceAnnual HIPAA Training Curriculum (What to Cover + How to Document)A 2026 annual HIPAA training curriculum for small healthcare practices — eight required modules under 45 CFR 164.530(b) and 45 CFR 164.308(a)(5), with documentation templates.
- ComplianceHealthcare Incident Response Plan — Template + Tabletop ExerciseA 2026 healthcare incident response plan template aligned to 45 CFR 164.308(a)(6) and NIST SP 800-61 Rev. 3, with a tabletop exercise script for small practices.
- ComplianceAccounting of Disclosures (45 CFR § 164.528): Tracker + ProcedureA 2026 HIPAA Accounting of Disclosures procedure citing 45 CFR § 164.528 — the six-year lookback, what to log, exclusions, and a copy-ready tracker template.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.