Here’s something I am sure no therapist in private practice has ever said, “I love getting to make my own hours, set my own fees, and write my own security policies and procedures.” Even a dream job is still 30% stuff you don’t really like doing, as they say. Luckily, there are resources to help make this particular task a lot easier, and good reasons to turn towards it and get it done.

One of the HIPAA Security Rule’s standards is to write policies and procedures that set out what security behaviors your practice will engage in. Essentially, full compliance with HIPAA requires your practice to write out policies that cover how you comply with all the HIPAA Security standards (and also the privacy standards, of course, but we’re not writing about those in this article.)

You’ll also need to cover any security issues, beyond those standards, that you identify as necessary. Let’s look at the “Bring Your Own Device” policy (nope, I didn’t make up that name!) as an example.

Bring Your Own Device (BYOD) is a policy the sets out rules for how staff in the practice need to keep their own personal devices secure so long as they use those devices for work. BYOD is all the rage these days since most people own smartphones and laptops which they want to use in their work (and many practices even rely on their staff members using personal devices at work.) The HIPAA Security Rule didn’t anticipate this, and so it isn’t explicitly addressed in the standards. But a policy that manages the use of personal gear is pretty essential to keeping up all the other HIPAA Security standards in a modern practice.

BYOD is a great example for illustrating two important things about HIPAA Security policies and procedures:

  1. The complexity of the policies and procedures you need changes with the complexity of your practice.
  2. Most practices need policies that go beyond just the basic HIPAA Security standards.

Comparing the Complexity of Policies and Procedures With the Practice’s Complexity

BYOD provides a great illustration of how the complexity of security policies and procedures, just like everything else in HIPAA, can scale up and down with the complexity of your practice. To illustrate, we like to sort mental health practices into three categories of complexity:

  • Clinicians with no helpers at all — truly solo practitioners — usually don’t need a BYOD policy at all. Often, their personal devices are the practice’s devices.
  • A practice with one clinician and one or two helpers needs a BYOD policy, but it can be quite simple. It can even be managed as an agenda item during regular staff meetings.
  • Group practices often need a thorough BYOD policy that is managed (and, when necessary, enforced) by someone designated as the Security Officer.

Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.

Hushmail Image

Roy with coffee mugRoy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.

Knowing Who Needs Policies and Procedures

Anyone who needs to comply with HIPAA needs security policies and procedures as part of full compliance.

The security and privacy world loves policies. Writing policies helps us ensure that we’ve covered everything. It helps us remember everything we need to do (or it helps staff members know what they need to do.) And it provides documentation of those great security behaviors that we regularly engage in.

It’s not much different from writing out treatment plans or documenting interventions. You want clinical documentation to prove you’re meeting standard of care, and possibly to show other clinicians who are working with common clients. In the same way, you want security documentation to prove you’re addressing security standards, and to help anyone who needs to know what your practice’s acceptable and required security behaviors are.

How to Get Template Policies and Procedures

There’s absolutely no reason you cannot write your own policies and procedures with some research and, potentially, some technical help. Most of us don’t have the time to learn all the pieces that go into it, however, much less the time to actually write the things.

Luckily, there are a few ways to get templates. Remember that HIPAA Security policies and procedures go hand-in-hand with performing a security risk analysis, so you’ll likely want a toolset or service provider that can help you with both things.

  1. HIPAACOW has both a risk analysis toolkit and a set of template policies and procedures. It is free for all. However, it is also highly technical. That said, it is made by experts and given freely, so we encourage the private practice security DIY enthusiasts among you to go check it out: HIPAACOW security and privacy documents.
  2. The NASW has a risk analysis and policies and procedures kit for its members. It’s included with NASW membership, but cannot be purchased separately. It is much easier for non-techies than the HIPAACOW tools. We see it as being not quite complete, however. But it is a very solid start. NASW HIPAA Kit.

Learn more about HIPAA security policies and procedures:

1 CE Credit Hours


9 CE Credit Hours



Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss