HIPAA policies and procedures for small practices: what you must have in writing

The HIPAA Security Rule requires covered entities to maintain written policies and procedures for every safeguard area. Here is what 45 CFR § 164.316 requires, what each policy must address, and the six-year retention obligation.

By CoreFolio

Published May 20, 2026Verified May 20, 20267-minute read

“We follow HIPAA” is not a HIPAA policy. The Security Rule requires something more specific: written documentation of the policies and procedures your practice uses to implement each Security Rule standard and implementation specification.

Under 45 CFR § 164.316(b)(1), covered entities must “implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart.” The documentation must be in written form — which may be electronic — and must be retained for six years.

For a small practice, the obligation does not require a 200-page compliance manual. It requires written policies that address each required area, maintained and updated, and available to the people responsible for implementing them.

What the documentation requirement covers

45 CFR § 164.316 has two parts:

§ 164.316(a) — Policies and procedures: Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements. Allow for updating in response to environmental or operational changes.

§ 164.316(b) — Documentation: The policies and procedures must be:

Maintained in written form (electronic is acceptable)
Retained for six years from creation or last effective date, whichever is later
Made available to persons responsible for implementing the procedures
Reviewed and updated periodically, and in response to environmental or operational changes

Note that § 164.316 governs the Security Rule documentation specifically. The Privacy Rule has its own documentation requirement at 45 CFR § 164.530(j), which similarly requires written policies and six-year retention.

The policies a small practice must have

The following is a practical inventory of the written policies OCR expects to find in a covered health care provider. This list follows the structure of the Security Rule’s safeguard categories, with Privacy Rule policies addressed at the end.

Security Rule policies

Risk analysis and risk management policy (45 CFR § 164.308(a)(1))

Describes the process for conducting the risk analysis, the frequency of review, who is responsible, and how findings are translated into the risk management plan. References the methodology used (NIST 800-30 or equivalent) and the scope of systems covered.

Security Official designation (45 CFR § 164.308(a)(2))

A document naming the Security Official by name or role, describing their responsibilities, and establishing authority over security policy. For a solo practice, this is a brief written designation — one paragraph is sufficient.

Workforce clearance and access authorization policy (45 CFR § 164.308(a)(3) and (a)(4))

Describes how new workforce members are granted access to ePHI systems, what access levels correspond to what roles, and the process for modifying access when roles change. Addresses background check requirements if any.

Termination procedures (45 CFR § 164.308(a)(3)(ii)(C))

Step-by-step procedure for revoking ePHI access when a workforce member leaves, including: disabling EHR credentials, revoking email access, recovering practice-owned devices, and changing shared passwords. Must include the timeframe for revocation (immediately upon separation is the defensible standard).

Security awareness and training policy (45 CFR § 164.308(a)(5))

Describes the training program — content, frequency, delivery method, and documentation requirements. Specifies that training is required for all workforce members, including management and part-time staff, and within a defined period of new hire onboarding.

Security incident response and breach notification policy (45 CFR § 164.308(a)(6))

Step-by-step procedure for identifying, documenting, responding to, and reporting security incidents and breaches. Includes the four-factor risk assessment process, the internal escalation chain, the notification timeline, and the documentation requirements. References the HHS breach reporting portal.

Contingency plan (45 CFR § 164.308(a)(7))

Covers data backup procedures (frequency, media, location), disaster recovery procedures (how systems are restored after loss), and emergency mode operation procedures (how clinical operations continue if systems are unavailable). Includes a testing schedule.

Evaluation policy (45 CFR § 164.308(a)(8))

Describes the periodic technical and non-technical evaluation process — who conducts it, how often, and what it covers. Typically annual.

Business associate policy and vendor inventory (45 CFR § 164.308(b))

Describes the process for identifying business associates, requiring BAAs before any PHI is shared, and maintaining a current vendor inventory with BAA status. Includes the process for periodic review of the inventory.

Facility access controls policy (45 CFR § 164.310(a))

Describes who has physical access to areas housing ePHI systems, how access is managed, how changes are made when staff leave, and how the facility security plan is reviewed.

Workstation use and security policy (45 CFR § 164.310(b) and (c))

Approved uses of workstations, screen positioning requirements, end-of-session logout requirements, and physical security of devices. Includes remote work requirements if applicable.

Device and media disposal policy (45 CFR § 164.310(d))

Procedures for sanitizing or destroying devices containing ePHI before disposal, reassignment, or repair. Specifies approved destruction methods (NIST SP 800-88) and requires a disposal log.

Access control policy (45 CFR § 164.312(a))

How ePHI system access is controlled technically — unique user credentials, role-based access levels, automatic logoff settings, and procedures for emergency access.

Audit log policy (45 CFR § 164.312(b))

Confirms audit logging is enabled on all ePHI systems, describes the review schedule, and specifies who is responsible for reviewing logs and documenting findings.

Encryption policy (45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii))

Documents the encryption standard for ePHI at rest and in transit, confirms which systems have encryption enabled, and addresses any documented exceptions with documented rationale.

Privacy Rule policies

Notice of Privacy Practices (45 CFR § 164.520)

The NPP is both a patient-facing document and an internal policy. Maintain current and prior versions with effective dates.

Privacy Official designation (45 CFR § 164.530(a))

Written designation of the Privacy Official by name or role.

Minimum necessary policy (45 CFR § 164.502(b))

Describes how the practice applies the minimum necessary standard — what criteria are used to determine what PHI is needed for different types of disclosures, and how staff are trained to apply it.

Patient rights policies (45 CFR § 164.522–164.528)

Policies covering patient right of access to records, right to amend records, right to an accounting of disclosures, and right to request restrictions or alternative communications.

Authorization policy (45 CFR § 164.508)

Describes when patient written authorization is required for disclosures and the elements that must be present in a valid authorization.

Six-year retention: a practical note

Retain all versions of each policy — not only the current version. When a policy is updated, archive the prior version with its effective date. A policy revised in January 2026 that originally took effect in 2019 must be retained until at least 2032 (six years from the 2026 revision date), and the 2019 original must be retained until at least 2025 (six years from 2019).

In practice, the simplest approach is to never delete HIPAA policy documents — store all versions in a dated archive and maintain them indefinitely if storage cost is not a constraint.

Keeping policies current

Policies that were drafted five years ago and never reviewed are a common OCR finding. The review obligation in 45 CFR § 164.316(b)(2)(iii) is triggered by:

Environmental changes: Adopting a new EHR, cloud service, or telehealth platform; adding a new office location; transitioning to remote work arrangements
Operational changes: Staff turnover in the Security or Privacy Official role; significant changes in workforce size; new business associate relationships
Regulatory changes: Updates to HIPAA rules or guidance that require policy adjustments
Annual review cycle: Even without triggering events, policies should be reviewed at least annually and the review should be documented

A policy with no review date notation and no revision history is harder to defend than one that shows it was reviewed, confirmed current, and re-dated every year.

Sources: 45 CFR § 164.316 (policies, procedures, documentation requirements); 45 CFR §§ 164.308, 164.310, 164.312 (Security Rule safeguard standards); 45 CFR § 164.530(j) (Privacy Rule documentation); 45 CFR §§ 164.500–164.534 (Privacy Rule); HHS Security Rule Guidance Material, hhs.gov/hipaa/for-professionals/security/guidance; NIST SP 800-88 (media sanitization). Last verified May 20, 2026.

FAQ

Common questions

Are written HIPAA policies required or just recommended?

Required. Under 45 CFR § 164.316(b)(1), covered entities must maintain written policies and procedures to implement the Security Rule's standards and implementation specifications. The written form requirement may be satisfied electronically. Oral policies and informal practices do not satisfy the requirement.

How long must HIPAA policies and procedures be retained?

Six years from the date of creation or the date when the document was last in effect, whichever is later, under 45 CFR § 164.316(b)(2). This means a policy revised in 2024 that was originally created in 2019 must be retained until at least 2030. Retain all versions, not only the current one.

How often must HIPAA policies be reviewed and updated?

45 CFR § 164.316(b)(2)(iii) requires policies to be reviewed and updated in response to environmental or operational changes affecting ePHI security. There is no fixed review interval specified in the rule, but annual review is the standard practice in the industry and is recommended by OCR guidance. A policy that has never been reviewed since it was first drafted is a compliance gap.

Does a solo practitioner really need written HIPAA policies?

Yes. The documentation requirement at 45 CFR § 164.316 applies to all covered entities regardless of size. A solo practitioner has the same obligation as a large health system — only the length and complexity of the policies may be scaled to the organization's size and risk profile. One-page policies addressing each required area are sufficient for most solo practices.

Keep learning

How-to
HIPAA administrative safeguards: the complete checklist for small practices
Administrative safeguards under 45 CFR § 164.308 are the most commonly cited standard in OCR enforcement actions. Here is every requirement, what 'addressable' actually means, and what a small practice must have documented.
May 20, 20268-minute read
How-to
HIPAA requirements for solo and small practices: what applies and what is scaled
HIPAA has no size exemption. A solo practitioner is a covered entity subject to the same Privacy Rule, Security Rule, and Breach Notification Rule as a large health system. Here is what that means in practice, what is scaled to size, and what is not.
May 20, 20267-minute read
Enforcement
How to prepare for a HIPAA OCR audit or investigation
OCR investigations open with a document request. Practices that respond quickly and completely with organized records fare substantially better than those that scramble. Here is what OCR asks for and how to have it ready.
May 20, 20268-minute read