Having written policies and procedures in place not only is required under HIPAA, but it is a wise practice for all medical offices. Daniel Shay, an attorney at Alice G. Gosfield and Associates, P.C., in Philadelphia, said there are practical benefits to this activity: It gives staff something to refer to if they have questions or if someone violates a rule, and it provides written documentation of an office’s practices that should have been followed.

The list of policies and procedures every office should have is daunting, but there are a handful of these that are easy to craft yet often overlooked. Here are some that experts recommend having on file.

Continue Reading


A valuable procedure to create is how to deal with patient complaints. If someone walks up to the front desk and says he or she has an issue, what will the staff do about it? Procedures should be in place for understanding how to remediate an issue and to “keep in touch with the patient and make them feel better about it,” said Ron Sterling, principal consultant at Sterling Solutions Ltd in Silver Spring, Md. If the organization flubs the process, the patient is more likely to file a complaint with the Department of Health and Human Services, Sterling said. This could lead to an investigation and unlock more serious problems down the road. 

PHI Access

Every office should have a policy regarding who has access to protected health information (PHI). Caregivers clearly have access to PHI during treatment. Billing personnel typically only have access when they are submitting a claim. Front desk staff should only see this information when they are checking someone in. A policy can be created to set up barriers or restrictions to access. The best way to monitor this is by using electronic tracking that logs whoever is accessing information.

Practice changes

Practices should have policies and procedures in place for evaluating any change that could impact an office’s HIPAA risk profile. This might happen if the office purchases a new electronic medical record system or new diagnostic equipment or if the practice moves into a different space.

End of day

All offices have a system for end-of-day clinical and financial procedures, such as making sure charges are entered and checks are processed. Sterling contends that offices should have a similar routine for HIPAA procedures as well. Offices need to validate that they are maintaining the security of electronic PHI, like signing notes on a timely basis, he said.

Restrictions and disclosures

Offices should have policies and procedures for handling patient requests for restrictions on use and disclosure of information.  The patient’s request should be documented so that staff knows to handle the information differently.  A plan should also be created for logging disclosures. There also should be procedures for handling patient access to records, or denial of access and for issuing notifications if a patient’s record is amended or an appeal for access is filed.

Social media

One area often neglected by many offices is social media. Shay, however, said it would be prudent to develop policies for managing personal use of social media in the office by contractors and employees. Shay had a client, for instance, who did not restrict use of social media in the office. A patient came in one day and brought the new front desk person an apple from her orchard. The associate posted a photo of the apple on Facebook with a note about the kindness of their patients. The apple was located on the day’s chart sheet, which could have caused a breach. Luckily, no personal patient information was visible, but it could have caused problems for the practice. “There needs to be policies like not taking pictures in the practice and posting on Facebook,” Shay said. “A selfie might have a person or document in the background.”


A few more procedures to have on file include how a practice disposes of PHI, including paper files and computers. Another is a password policy, such as how frequently passwords should be changed and requiring staff not to give out their password and to log out when leaving a computer for extended periods.

Michael Ebert, KPMG’s national leader for HIPAA services, said a basic policy all offices should have is their HIPAA policy disclosure. Ebert went to one physician’s office and asked for their HIPAA policy. He was handed a thick binder, and it was the practice’s only copy. The HIPAA policy should be posted in the office somewhere and there should be copies of a condensed version available to hand out to anyone asking for it.