Your HIPAA Policies are Out of Date

December 11, 2017

Writing HIPAA policies was an art form practiced by HIPAA consultants, lawyers, IT staff, and compliance officers, but the new Cyber Security Frameworks provide a rational basis for policies that are built specifically to meet the new standards.

Templates of these policies need to be edited to fit the organization and to document staff assignments. Here is an example policy SI-3 from the NIST CSF:

General Instructions:

1. Replace all items in red with the information appropriate for your organization, deleting brackets and unused options as needed.

2. Delete these instructions and all others in blue when you have finished with them.

3. Modify text in black, if appropriate, to add, modify or delete wording according to the needs of your organization.

4. Review document and ensure that all remaining text is in black.

5. Document and Disseminate - Once the policy has been approved, print, sign/date as indicated at the bottom of the policy, scan if feasible, and file in the organization’s designated area for storage and/or in the risk assessment document repository.

<Organization Name> <Date of Current Revision> < Your Document #>

NIST Safeguard


< Organization Name>< employs <list of tools including perimeter defenses and auto system updating> for Malicious code protection.

Assigned Responsibility: <Administrator> <IT Contractor>

HIPAA References: 164.308(a)(5)(ii)(B)

NIST Cybersecurity Framework: DE.CM-4, DE.DP-3, DE.CM-4

Policy Overview:

The computer system has protection against malicious code that can be damaging and/or compromise the system. There are automatic updates for known bad codes and this has been enabled for the following listed devices, including: <your firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, and workstations, servers, or mobile computing devices on the network>. The virus protection is installed at critical computer system entry and exit points and at workstations, servers, and mobile devices (when present) on the network. Devices without current protection software will not be allowed access to the network.

Suggested Policy Clauses:

  1. <Organization Name> uses virus protection software from <specify vendor> to detect and quarantine or remove bad code such as viruses, worms, Trojan horses, etc.

  2. In addition to desktop malware protected, perimeter protection is provided by <list devices here>.

Policy and Software License Renewals:

Reminders have been set for the software renewal dates for the protection software licenses. The list of items that are on a re-occurring license fee are: <List your items here>. The date for annual policy review is set in the safeguard task assignment or some other location.

This policy is part of the NIST risk assessment. Once completed the policy represents a completion of a task which improves the risk assessment score. At the end of each quarter the risk assessment is updated based on completed tasks and a new risk assessment is issued showing progress.

If your policies are not linked to the CSF you need to upgrade. Compliance Helper has a program called Jumpstart that can get you up and running on the NIST CSF in 72 hours. Contact for more information

Back to News