40. Policies and Procedures


The policy requires that you create written policies and procedures. The policy also establishes the guidelines for:

  • Implementing policies and procedures regarding the security of electronic protected health information.
  • Changing any policies or procedures.
  • Documenting the policies and procedures.

For more information on security standards, see EBIA’s article;
XXX.F. Policies and Procedures, Documentation Requirements

No specific modifications to this policy are necessary

The following personnel use this policy:

  • The security official
  • Members of the workforce who are responsible for creating and maintaining policies and procedures

Citations addressed by this policy

  • §164.316 (a) – Standard: Policies and procedures
  • §164.316 (b)(1) – Standard: Documentation
  • §164.316(b)(2)(i) – Time limit (required)
  • §164.316(b)(2)(ii) – Availability (required)
  • §164.316(b)(2)(iii) – Updates (required)

Sample Documents
Sample Policy Modification Log