HIPAA For MSPs HIPAA Policy and Procedure Templates
00:00:00 00:00:00

HIPAA policy and procedure templates seem to be a panacea to many people who are just trying to meet the standards and move on. However, these are not the droids you seek! Templates can be the basis for what you need to do, but they shouldn’t be the solution to the written policy and procedure requirements under HIPAA.

Often clients ask if we will “give them” their policies and procedures as part of an assessment. They are looking for HIPAA policy and procedure templates PLUS someone to write or update them all. We get concerned over this approach because we have seen a great number of templates and “fill in the blank” policies and procedures in use. Well, not really in use as much as being used as the policy and procedure requirement. Today, we are going to look at some of the reasons we are concerned with this approach along with some of our thoughts on dealing with your policy and procedure requirements.

Where can you get HIPAA policy and procedure templates and what types are available?

There is an abundance of sources available that will create a template for you. They can cost nothing or $1,000 or more. Some examples of template sources include:

  • Attorneys
  • Professional Organizations
  • Vendors for other compliance tools
  • IT vendors
  • ONC

There are also many different ways in which to go about producing the policies and procedures including:

  • I “write” them for you
  • You answer some questions and we spit out your policies and procedures for you.
  • A single Word document
  • A folder full of Word documents
  • An online tool where they all reside

We are not saying that you should not use HIPAA policy and procedure templates, we are just saying don’t use them as an easy fix.

What are the concerns we have about using these approaches to creating your policies and procedures?

All policies and procedures are not the same and do not fit every business. For example, a hospital’s policies and procedures will be much different from a small practice’s or a business associate’s. If you hire someone to write policies and procedures for you, you need to be very thorough in your explanation of your business so the writer knows how to create a plan that works best for you. You need to consider some of the following questions when discussing your policies and procedures.

  • Do you have a plan for what you are going to do with them?
    • Are you just going to have some admin person run through and update all the places that say Your Name Here?
  • Do you even know what any of them say?
  • Did you pick them because they were the cheapest or easiest to get?HIPAA Policy and Procedure Templates
  • Does it address what your actual procedures for doing things will be in your organization?
  • Are security templates going to cover what is reasonable and appropriate in your organization?
    • Will they end up being over-kill for you and you never end up doing them?
  • Are you just going to get another template set when updates are required since you don’t know for sure what is in them?
  • If you use the “fill in the blank” method to generate the set are you likely to ever read them or even understand them?
  • If you have someone else update them for you are you going to adapt your business practices to what they say you have to do or just ignore them?

We are not saying that you should not use HIPAA policy and procedure templates, we are just saying don’t use them as an easy fix.

What do we think about building your policies and procedures?

HIPAA policy and procedure templates are a good place to start, but be sure to choose ones that reflect your organization in some way not just the cheapest or easiest to buy. You should also read them and update them according to what you will do and how you will do it. Lastly, your procedures need to reflect what the policies say and you should train your staff on what they are supposed to be doing. In short, you shouldn’t change the way you do business to match your policies and procedures, you should create your policies and procedures to fit how you do business.

Let’s say this one more time

We are not saying that you should not use HIPAA policy and procedure templates, we are just saying don’t use them as an easy fix.