How frequently should you revise policies for HIPAA compliance?

The HIPAA Security Rule requires covered entities and business associates to review and modify their security policies and procedures. 45 CFR § 164.316(b)(2)(iii) states that organizations must "review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information". The Privacy Rule holds the same expectation. A policy document that has not been updated in several years is very likely out of compliance, regardless of how well it was originally written.

Annual reviews are the standard

Organizations should review policies at least once per year. This gives your organization a regular opportunity to confirm that policies reflect current workflows, account for any new regulatory guidance, and address gaps identified through your most recent risk analysis. An annual review should involve input from IT, legal, clinical leadership, human resources, and your privacy officer. Policies should be measured against how work is actually being done.

Certain events require an immediate review

The following situations require a policy review right away, regardless of timing:

• A security breach or near-miss that exposes a gap in existing policy.
• Implementation of new technology, such as a new EHR system, telehealth platform, or cloud service.
• Changes to workforce structure, including new remote work arrangements or outsourced functions.
• A new or materially changed business associate agreement.
• New guidance, enforcement actions, or settlement agreements issued by OCR.
• Changes in state law affecting privacy protections for specific categories of health information.

Delaying a review when any of these events occur is a well-documented compliance failure. OCR has cited exactly this kind of inaction in multiple enforcement actions. The December 2023 Montefiore Medical Center HIPAA settlement is an example of this. After employees improperly accessed and disclosed PHI, Montefiore paid $4.75 million and was required to implement mandatory quarterly policy reviews as part of OCR's corrective action plan, this established that regular policy assessment is not optional, but a direct condition of compliance.

Furthermore, in his article Top Five HIPAA Lessons Learned: A Review of HHS Resolution Agreements, Justin Pope notes that "over a third of OCR's case resolution agreements have involved the theft or loss of unencrypted portable devices storing PHI", a finding that shows how operational gaps, left unaddressed, can lead to liability. Pope also observes that HIPAA compliance is "an ongoing, dynamic process" and that "policies that might be reasonable today might not be reasonable tomorrow."

In their study Pursuing Periodic Review of Agency Regulation, Lori S. Bennear and Jonathan B. Wiener found that the net benefits of periodic reviews are likely to be greater "when the evidentiary basis for the regulation is evolving rapidly — such as with changing science, technology, or social conditions." HIPAA-regulated environments, with their constant technological change and evolving threats, fit this description.

Ground your reviews in a risk analysis

According to the HHS Guidance on Risk Analysis, risk analysis is "an ongoing process" that should provide your organization with a detailed understanding of threats to all e-PHI your organization "creates, receives, maintains, or transmits." When that risk profile changes, your policies need to reflect it.

Pope makes the same point from an enforcement perspective, noting that "a thorough, accurate, and current risk assessment is essential." OCR investigations have found that covered entities failed to conduct risk assessments that accounted for all IT equipment, applications, and data systems using ePHI.

The HHS Guidance acknowledges that review frequency is not one-size-fits-all, noting that organizations may conduct risk analysis "annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment." However, it also makes clear that a truly integrated approach is "performed as new technologies and business operations are planned.” Organizations that approach risk analysis as a once-a-year formality frequently find that their policies do not keep pace with the actual risks they face. Bennear and Wiener state that, "The optimal frequency for reviews should vary in direct proportion to the expected rate of change and the associated gains from learning about policy performance." For healthcare organizations, that rate of change is high

Document every change

Every revision must be documented. Under 45 CFR § 164.316(b)(2)(i), organizations are required to retain documentation for "6 years from the date of its creation or the date when it last was in effect, whichever is later." Each version should include a clear version number, revision date, and the name of the approving authority.

Proper documentation also serves as your defense during an audit or OCR investigation. You should be able to show what changed, why it changed, when the updated policy was approved, and how it was communicated to staff.

Compliance is an organization-wide responsibility

Pope states that, "the privacy and security of patient information should be taken into account when determining how to establish a new policy or utilize a new technology in the office. Routinely making HIPAA a part of the discussion goes a long way toward reducing your exposure."

Research on regulatory review reinforces this. Bennear and Wiener found that organizations making periodic reviews work best had "developed data sources and staffing models that enable ongoing monitoring, learning, and updating as a continuous process — rather than a last-minute dash to produce a report by the due date." The same principle applies directly to HIPAA compliance programs.

Best practices for maintaining up-to-date HIPAA policies

As Donna Vanderpool notes in HIPAA Compliance: A Common Sense Approach, the Security Rule is intentionally "designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity's particular size, organizational structure, and risk to consumers' ePHI." This means that while the obligation to maintain current policies applies universally, the specific measures you take should be designed to your organization's needs.

With that principle in mind, here are the best practices every covered entity should follow:

• Assign clear ownership. Designate a privacy officer or compliance lead who is explicitly responsible for initiating, tracking, and documenting policy reviews.
• Train staff regularly and meaningfully. Training should be updated whenever policies are revised, not just delivered once at onboarding.
• Terminate access promptly when employees leave. Vanderpool highlights a cautionary example in which a hospital "failed to terminate remote access to the web-based scheduling calendar, which contained ePHI," resulting in an ex-employee accessing the records of 557 patients and a settlement exceeding $111,000.
• Take phishing and cybersecurity threats seriously at every scale. Criminals routinely target healthcare organizations through phishing emails. As Vanderpool documents, Anthem paid OCR $16 million following a breach affecting nearly 79 million individuals that began when an employee responded to a malicious email.
• Review vendor and business associate agreements whenever relationships change. Policies governing third-party access to PHI must keep pace with your actual vendor landscape. A new software tool, a changed service arrangement, or an expired agreement can each create compliance exposure if policies are not updated accordingly.
• Monitor OCR enforcement actions on an ongoing basis. OCR's publicly available Resolution Agreements and Civil Monetary Penalty decisions are a source of insight into where organizations fall short.

FAQs

What happens if OCR finds my policies are outdated during an investigation?

OCR can impose civil monetary penalties, require a corrective action plan, and mandate ongoing monitoring.

Does HIPAA policy review apply to paper records, or only electronic systems?

The Privacy Rule covers all forms of protected health information.

Can a small or solo practice be held to the same review standards as a large hospital?

While the Security Rule is scalable to organizational size, the obligation to maintain current and accurate policies applies to every covered entity regardless of how many staff or resources they have.