HIPAA Security Tip #23: Policies And Procedures

By Iseman Cunningham Riester & Hyde LLP

Covered entities of all sizes must devise and implement “reasonable and appropriate” policies and procedures to comply with the standards and specifications of the HIPAA Security Rule. This requirement is flexible and scalable, taking into consideration the wide range of facilities and businesses covered by the rule, but is nonetheless mandatory. The expectation is that larger and more sophisticated entities will implement extensive and thorough policies for protecting electronic health information and procedures enforcing the policy. Even small entities, however, must have comprehensive policies and procedures in place.

In determining the policy that will best protect electronic health information, and the procedure to best implement the policy, the Covered Entity must consider:

  1. The size, complexity and capability of the entity;
  2. The existing technical infrastructure, hardware, and software security capabilities;
  3. The costs of implementing the security measure, and
  4. The probability and “criticality” of risk to the information. (Criticality is the measure of the impact on the organization if the information is unavailable or is corrupted.)

Effective policies and procedures must rest upon a thorough assessment and understanding of the Covered Entity’s information system. Before drafting policies and procedures, the organization should inventory and document:

  • Where it stores electronic health information;
  • The sources of electronic health information; and
  • Who has internal and external access to the information and why.

A careful inventory may lead to unexpected surprises. Faxing a paper document with health information in it doesn’t ordinarily involve electronic health information – unless the fax machine happens to capture a digital copy of the sent item. If that happens, the Covered Entity must consider how that image can be accessed, by whom, and how it should be protected.



HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.

(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.

HIPAA Security Tips Archive

No posts to display