CDMP Fundamentals • 100 Questions • 90 Minutes
← Back to HIPAA Compliance
📝 Phase 2 4-6 weeks

Phase 2: Policy Development & Administrative Safeguards

With the risk analysis complete and the Risk Management Plan approved, this phase focuses on building the policy and procedural foundation. You will develop all required HIPAA policies, establish administrative safeguard programs, execute Business Associate Agreements, and create the documentation framework that will govern the organization's ongoing HIPAA compliance. Policies without implementation are useless, so this phase also includes initial workforce training and the establishment of the Privacy and Security Officer roles.

🎯 Objectives

  • Develop and approve all required HIPAA privacy and security policies and procedures
  • Formally establish the Privacy Officer and Security Officer roles with documented responsibilities
  • Execute or update Business Associate Agreements with all identified BAs
  • Create and distribute the Notice of Privacy Practices
  • Establish the sanction policy and complaint procedures
  • Develop the HIPAA training program framework
  • Establish documentation management and retention procedures

HIPAA Policy Suite Development

Develop the complete set of HIPAA-required policies and procedures. At minimum, this includes: Privacy Policy (uses and disclosures of PHI, patient rights, minimum necessary), Security Policy (security management process, risk management), Access Control Policy, Workforce Security Policy, Audit Control Policy, Incident Response Policy, Contingency/Disaster Recovery Policy, Device and Media Controls Policy, Transmission Security Policy, Business Associate Management Policy, Breach Notification Policy, Sanction Policy, Training Policy, Documentation Retention Policy, and Complaint Handling Policy.

🎓 Beginner's Note

A policy says WHAT must be done and WHY. A procedure says HOW to do it, step by step. You need both. For example, the Access Control Policy says 'all access to ePHI must be authorized based on job role and the principle of least privilege.' The associated procedure says 'step 1: manager submits access request form, step 2: Security Officer reviews and approves, step 3: IT provisions access within 24 hours, step 4: confirmation email sent to manager.'

💡 Consultant Tips

  • Do not reinvent the wheel — start with recognized HIPAA policy templates and customize them for the organization
  • Write policies in clear, plain language that workforce members can actually understand and follow
  • Each policy should include: purpose, scope, definitions, policy statement, procedures, responsibilities, enforcement, and references to specific HIPAA regulations
  • Have legal counsel review all policies before final approval, especially the Notice of Privacy Practices and BAA template
  • Establish a policy review cycle — all HIPAA policies should be reviewed and updated at least annually

Privacy Officer and Security Officer Formalization

Formally designate the Privacy Officer and Security Officer with written job descriptions, scope of authority, reporting relationships, and resource allocations. If these roles were identified in Phase 0, this step formalizes them. If candidates need to be hired or assigned, begin that process immediately. Both roles are mandatory under HIPAA — there is no exception, regardless of organization size.

🎓 Beginner's Note

If the organization does not have anyone with the right expertise for these roles, consider recommending external resources: a virtual Privacy Officer (vPO) or virtual Chief Information Security Officer (vCISO) service. These are consultants who fill the role on a part-time or fractional basis, which is common and accepted for smaller organizations.

💡 Consultant Tips

  • The Privacy Officer needs expertise in healthcare regulations, patient rights, and privacy law — this is often a clinical or compliance professional
  • The Security Officer needs expertise in IT security, risk management, and technical controls — this is often an IT security professional
  • In organizations with fewer than 50 employees, one person can fill both roles, but they need both skill sets
  • Ensure both officers have direct access to senior leadership and the authority to make compliance decisions
  • Budget for ongoing professional development — HIPAA regulations evolve, and these officers must stay current

Business Associate Agreement Execution

Using the BA inventory from Phase 0, execute new BAAs or update existing ones for every Business Associate. The BAA must include all provisions required by the Omnibus Rule: permitted uses and disclosures, safeguard requirements, breach reporting obligations, subcontractor requirements, access termination procedures, and PHI return/destruction requirements. Track all BAAs in a central register.

🎓 Beginner's Note

A BAA is not optional — it is a legal requirement. If a healthcare organization shares PHI with a vendor that has not signed a BAA, both the organization AND the vendor are in violation of HIPAA. The BAA is what makes the vendor legally obligated to protect the PHI and what gives the organization legal recourse if the vendor causes a breach.

💡 Consultant Tips

  • Large technology vendors (AWS, Microsoft, Google) have their own BAA templates — review these carefully and negotiate if necessary
  • Smaller vendors may not have a BAA template and may not even know what one is — you may need to provide the template and educate them
  • Do not accept vendor assurances like 'we are HIPAA compliant' without a signed BAA — verbal assurances have no legal standing
  • Set calendar reminders for BAA review dates — BAAs should be reviewed at least annually and updated when services change
  • If a vendor refuses to sign a BAA, the organization CANNOT share PHI with that vendor — find an alternative vendor

Notice of Privacy Practices Development

Create (or update) the organization's Notice of Privacy Practices (NPP). The NPP must describe how the organization uses and discloses PHI, the patient's rights under HIPAA, the organization's legal duties regarding PHI, and how to file a complaint. It must be provided to every patient at their first encounter and posted prominently in the facility and on the organization's website.

🎓 Beginner's Note

The NPP is the document patients receive that explains their privacy rights and how the organization handles their health information. It is the healthcare equivalent of a website privacy policy. Every Covered Entity must have one, must give it to patients, and must follow what it says. If the organization already has an NPP, review it against current HIPAA requirements — many NPPs have not been updated since the 2013 Omnibus Rule.

💡 Consultant Tips

  • The NPP has specific content requirements — use the HHS model NPP as a starting template and customize
  • Write it in plain language at an 8th-grade reading level or below — patients must be able to understand it
  • Include all rights added by the Omnibus Rule: right to electronic copies, right to restrict disclosures to health plans when paying out of pocket
  • Have the NPP translated into languages commonly spoken by the patient population
  • Create a process for obtaining and documenting patient acknowledgment of receipt of the NPP

Training Program Development

Develop a comprehensive HIPAA training program that will be delivered to all workforce members. The program should cover: what HIPAA is and why it matters, what PHI is and how to identify it, permitted uses and disclosures, the Minimum Necessary standard, patient rights, security awareness (passwords, phishing, physical security), the organization's specific policies and procedures, incident reporting, and the sanctions for non-compliance. Create role-specific training modules for staff with specialized PHI responsibilities.

🎓 Beginner's Note

HIPAA training is not a one-time event — it must happen at onboarding for every new workforce member and at least annually for all existing staff. The training does not need to be expensive: online learning platforms, in-person lunch-and-learn sessions, and even well-crafted email series can be effective. The key requirement is DOCUMENTATION — you must be able to prove that every person was trained.

💡 Consultant Tips

  • Use real-world scenarios and examples relevant to the organization's specific operations — generic training is less effective
  • Include practical exercises: 'Is this PHI?' quizzes, phishing email identification exercises, incident reporting practice
  • Create role-specific modules: clinical staff need more privacy training, IT staff need more security training, executives need risk management training
  • Plan for annual refresher training that covers new threats, policy updates, and lessons learned from incidents
  • Build in knowledge assessments (quizzes) and require a passing score for completion

📦 Phase Deliverables

Complete HIPAA Policy and Procedure Suite (all required policies documented and approved)
Privacy Officer and Security Officer Designation Letters (formal appointments with job descriptions)
Executed Business Associate Agreements (for all identified BAs, tracked in central register)
Notice of Privacy Practices (final version, approved by legal counsel)
HIPAA Training Program (curriculum, materials, role-specific modules, assessment tools)
Sanction Policy (documented with progressive discipline framework)
Complaint Handling Procedures (internal process and forms for privacy/security complaints)
Documentation Retention Policy (6-year minimum retention for all HIPAA documentation)
← Back to HIPAA Compliance