# HIPAA Compliance Procedure > Use this template to data handling for [system/process] with PHI rules and breach reporting. ## Template Metadata | Field | Details | |-------|---------| | Category | Healthcare | | Owner | [Team or owner] | | Version | [Version number] | | Effective Date | [Date] | | Review Cycle | [Monthly / Quarterly / Annual / Event-based] | | Status | [Draft / In Review / Approved] | ## Purpose & Regulatory Basis Cite applicable HIPAA rules (Privacy Rule, Security Rule, Breach Notification Rule) and the system or process covered. | Item | Details | Owner | Status | |------|---------|-------|--------| | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | ### Notes [Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.] ## PHI Definition & Scope Define Protected Health Information in the context of this procedure. List the 18 HIPAA identifiers relevant to the system. Specify what data elements are present. | Item | Details | Owner | Status | |------|---------|-------|--------| | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | ### Notes [Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.] ## Access Control Role-based access levels table showing each role, data access scope, and authentication requirements. Include provisioning and de-provisioning procedures. | Item | Details | Owner | Status | |------|---------|-------|--------| | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | ### Notes [Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.] ## Minimum Necessary Standard How the minimum necessary standard is enforced for this system, with examples for each user role. | Item | Details | Owner | Status | |------|---------|-------|--------| | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | ### Notes [Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.] ## Audit & Monitoring Audit log requirements, log retention period, review frequency, and automated alerting for suspicious access patterns. | Item | Details | Owner | Status | |------|---------|-------|--------| | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | ### Notes [Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.] ## Breach Identification & Reporting Breach risk assessment methodology, notification timelines (60-day rule for individuals, immediate for HHS), and breach response team contacts. | Item | Details | Owner | Status | |------|---------|-------|--------| | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | ### Notes [Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.] ## Workforce Training Required HIPAA training topics, frequency, documentation, and new hire onboarding timeline. | Item | Details | Owner | Status | |------|---------|-------|--------| | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | ### Notes [Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.] ## Sanctions Sanctions for non-compliance aligned with organizational policy. Use tables for access levels and audit requirements. Reference specific CFR sections. | Item | Details | Owner | Status | |------|---------|-------|--------| | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | | [Item or requirement] | [Describe the relevant detail, evidence, or decision] | [Owner] | [Open / Complete] | ### Notes [Add context, assumptions, exceptions, evidence links, screenshots, calculations, or reviewer comments.] ## Review and Signoff Document review conclusions, approvals, unresolved items, and next review date. | Role | Name | Date | Notes | |------|------|------|-------| | Preparer | [Name] | [Date] | [Notes] | | Reviewer | [Name] | [Date] | [Notes] | | Approver | [Name] | [Date] | [Notes] |