One of the most common questions healthcare organizations and business associates ask when building a HIPAA compliance program is a straightforward one: what policies do we actually need? The question is reasonable. HIPAA’s regulatory text does not hand you a checklist. Instead, it describes required and addressable implementation specifications across three separate rules, leaving organizations to determine what documentation is necessary to satisfy those requirements in their specific environment.

This article maps out what HIPAA requires, organized by rule area, so you have a clear picture of what your policy library needs to cover and why.

How HIPAA Defines Policy Requirements

HIPAA does not use the word “required” the way a compliance checklist does. The Privacy Rule, Security Rule, and Breach Notification Rule each contain implementation specifications, and those specifications fall into two categories: required and addressable.

Required specifications must be implemented. There is no flexibility. If a specification is labeled required, your organization must have a policy or procedure addressing it.

Addressable specifications require a documented decision. Your organization must assess whether the specification is reasonable and appropriate for your environment. If it is, you implement it. If it is not, you document why and implement an equivalent alternative measure. Addressable does not mean optional — it means you must engage with the requirement and document your reasoning either way.

Both types require documentation. That documentation is what OCR auditors and investigators look for when they review an organization’s compliance program. An organization that has implemented reasonable safeguards but cannot produce written policies demonstrating that fact is in a much weaker position than one that has documented everything thoroughly.

Privacy Rule Policies

The HIPAA Privacy Rule, codified at 45 CFR Part 164 Subpart E, governs how covered entities use, disclose, and protect protected health information. It applies to covered entities directly and, through Business Associate Agreements, to business associates who handle PHI on their behalf.

A compliant Privacy Rule documentation library needs to address the following areas:

HIPAA Privacy Policy. The foundational policy document governing how your organization handles PHI across all activities. It establishes the scope of the policy, permitted and required uses and disclosures, workforce obligations, and the consequences for violations. This is the first document an OCR investigator will ask to see.

Uses and Disclosures of PHI Policy. A dedicated policy covering the specific circumstances under which PHI may be used or disclosed for treatment, payment, and healthcare operations, and the circumstances that require patient authorization. This policy operationalizes the core Privacy Rule requirements for your workforce.

Minimum Necessary Standard Policy. Required under 45 CFR 164.514(d), this policy establishes how your organization limits PHI access and disclosure to the minimum amount necessary to accomplish the intended purpose. It must cover routine requests, non-routine requests, and disclosure to third parties.

Patient Rights Policy. Covered entities must document procedures for responding to patient rights requests under the Privacy Rule, including the right of access, the right to request amendments, the right to an accounting of disclosures, the right to request restrictions, and the right to receive communications by confidential means.

Notice of Privacy Practices. Covered entities are required to provide patients with a written notice of their privacy practices. The notice must describe how PHI may be used and disclosed, describe patient rights, and explain how to file a complaint.

Privacy Officer designation. The Privacy Rule requires covered entities to designate a Privacy Officer responsible for developing and implementing privacy policies. That designation and the associated responsibilities should be documented in a role description or policy.

Business Associate Agreement. Required whenever a covered entity engages a business associate who will create, receive, maintain, or transmit PHI on its behalf. The BAA is both a contractual requirement and a compliance document that must contain specific provisions defined in the Privacy and Security Rules.

Workforce training documentation. The Privacy Rule requires covered entities to train all workforce members on their privacy policies and procedures. Training must be documented, and documentation must be retained for at least six years.

Sanctions policy. Organizations must apply appropriate sanctions against workforce members who fail to comply with privacy policies. The sanctions policy must be documented and communicated to the workforce.

Security Rule Policies

The HIPAA Security Rule, codified at 45 CFR Part 164 Subpart C, requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information. The Security Rule applies to both covered entities and business associates directly.

The Security Rule contains more than 75 individual implementation specifications organized across three safeguard categories. Documentation requirements include the following core policies:

Security Risk Analysis. The most frequently cited violation in OCR enforcement actions. Organizations must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI. The risk analysis must be enterprise-wide in scope and must be updated when significant changes occur. Without a documented risk analysis, everything else in your security program lacks an anchor.

Information Security Policy. The overarching policy establishing your organization’s approach to protecting ePHI. It defines scope, responsibilities, and the framework within which all other security policies operate.

Access Control Policy. Required under 45 CFR 164.312(a)(1), this policy covers how your organization manages user access to systems containing ePHI, including unique user identification, emergency access procedures, automatic logoff, and encryption and decryption procedures.

Audit Controls Policy. Organizations must implement hardware, software, and procedural mechanisms that record and examine activity in systems containing ePHI. The policy must document what is logged, how logs are reviewed, and how long audit records are retained.

Workforce Security Policy. Covers authorization and supervision of workforce members who work with ePHI, workforce clearance procedures, and termination procedures to ensure access is removed when employment ends.

Security Incident Response Policy. Required under 45 CFR 164.308(a)(6), this policy establishes procedures for identifying, responding to, mitigating, and documenting security incidents. It is the Security Rule analog to the breach response process under the Breach Notification Rule.

Contingency Plan. Required under 45 CFR 164.308(a)(7), the contingency plan covers data backup, disaster recovery, emergency mode operations, testing, and applications criticality analysis. Organizations without documented contingency planning face significant exposure during OCR reviews.

Device and Media Controls Policy. Covers the receipt, removal, disposal, and reuse of hardware and electronic media containing ePHI. Includes requirements for media sanitization and disposal documentation.

Facility Access Controls Policy. Addresses physical access to facilities where ePHI systems are housed, including contingency operations, facility security plans, access control and validation, and maintenance records.

Transmission Security Policy. Covers the encryption and integrity controls required when ePHI is transmitted over electronic communications networks, including email, file transfer, and remote access connections.

Breach Notification Rule Policies

The HIPAA Breach Notification Rule, codified at 45 CFR Part 164 Subpart D, requires covered entities to notify affected individuals, the Department of Health and Human Services, and in some cases the media following a breach of unsecured PHI. Business associates must notify the covered entity of breaches affecting PHI they handle.

Documentation requirements under the Breach Notification Rule include:

Breach Risk Assessment procedure. When a potential breach occurs, the covered entity must conduct a four-factor risk assessment to determine whether the incident constitutes a reportable breach. The four factors are the nature and extent of the PHI involved, the identity of the unauthorized person who used or accessed the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. This assessment must be documented and retained.

Incident intake and tracking documentation. Organizations need a standardized process for capturing potential incidents when they are first reported, tracking them through investigation, and documenting the outcome. Without a structured intake process, incidents fall through the cracks and notification deadlines get missed.

Notification templates. The Breach Notification Rule specifies what information must be included in notifications to individuals, to HHS, and to media outlets. Having pre-built notification templates reduces the risk of omitting required elements during the pressure of an active incident response.

Sanctions and corrective action documentation. When a breach results from workforce conduct, the organization must document the sanctions applied and any corrective action taken. This documentation demonstrates to OCR that the organization took the incident seriously and took steps to prevent recurrence.

Documentation Retention Requirements

HIPAA requires covered entities and business associates to retain documentation of their policies and procedures for a minimum of six years from the date of creation or the date when the document was last in effect, whichever is later. This retention requirement applies to the policies themselves and to records of activities required by the rules, such as training records, breach risk assessments, and Business Associate Agreements.

Organizations that cannot produce documentation during an OCR investigation are treated as if they had no policies in place, regardless of what their actual practices were. The documentation is the evidence. Maintaining an organized, version-controlled policy library is not an administrative nicety — it is a core compliance requirement.

A Note on Business Associates

Business associates are often surprised to learn that HIPAA’s policy requirements apply to them directly, not just to the covered entities they serve. Under the HITECH Act and its implementing regulations, business associates are directly liable for compliance with the Security Rule’s administrative, physical, and technical safeguard requirements, and for compliance with the Breach Notification Rule’s requirements to notify covered entities of breaches.

A business associate that handles ePHI needs its own security policies, its own risk analysis, its own incident response procedures, and its own workforce training documentation. Signing a Business Associate Agreement does not transfer compliance obligations to the covered entity. It establishes a contractual relationship that presupposes both parties have their own compliance programs in place.

Technology companies, medical billing firms, IT managed service providers, and SaaS vendors with healthcare clients are among the most frequently cited organizations for Security Rule violations precisely because they assume their covered entity clients bear the compliance burden. They do not.