Past audits and investigations by OCR have repeatedly found Security policies and procedures required by the regulations and vital as your compliance foundation guidance, to be old, out of date, or missing entirely. These results produce findings that often lead to fines.

This will be true this year, primarily since HIPAA celebrated its 20th birthday in 2016, and OCR is auditing 350 entities, including Covered Entities, and for the first time Business Associates. The “desk checks” will be looking specifically for these documents, and each selected will get one chance to respond with their documentation, in whatever state it’s in. The question is: “are you ready?”

Our response is, “don’t panic.” We have the answers you need with our Privacy and Security Policy templates and Preparation Support. Unlike “Compliance in a Box” template packages, our models are not the common boilerplate “cut-and-paste-from-the-web” type that does not fit the Compliance requirements or your organization’s needs.

Scope of Work for Policy Creation for HIPAA Security Rule:

Our documentation framework is complete in all respects: up to date with all the latest requirements and issuances from HHS, and ready to be custom-fitted to your unique environment. Our documents have been put through experienced editorial review to ensure the highest quality plus easy readability. They have also been through a thorough legal review to ensure that we capture the true spirit and letter of the regulations so that your Management and Legal staff will find review and signoff greatly simplified.

We provide you expert support in preparing them. The writers of our framework documents are themselves experts in HIPAA as well as policy writing. They will advise you on any customizations you wish to add or changes you need to make, saving you time and effort by always steering you in the “write” direction.

The final product will be one that contains all the necessary language to set you on the correct course to achieve compliance; and they are flexible enough to conveniently accommodate other standards that you may be subject to PCI for Payment cards standards, FTC for Red Flag rules, and Sarbanes-Oxley control requirements for public reporting entities, to name just a few.

Final Deliverables for HIPAA Security Policies:

The requirements to be met under the HIPAA Security Rule begin with a Risk Analysis. The process is at the heart of the process each entity must perform to determine where it may be exposed to technological and non-technological mistakes, flaws, and possible attacks.

Our documentation framework aligns entirely with the OCR process and covers all the points it requires. We walk through the process with you as we conduct the analysis and prepare the documentation capturing the findings. This will include:

  • Facilities
  • Staff and workflow
  • Examination of computers and networks
    • Vulnerability testing
    • Log generation and reporting
    • Incident detection and response
  • Business Associate Contracts
  • Documentation

We then build a summary of the results, compose a Corrective Action Plan, lay out a schedule to accomplish it, roll up our sleeves, and dig in! When we complete the plan, we go back through it with you and review all items so that you know everything is complete.

Risk Analysis can be a complicated process. With over 30 years of industry-leading expertise in this area, we work the process with you, teaching as we collaborate so that when we finish, you will be in a position to do this vital task for yourself in the future.

Part of this effort includes the preparation of the Contingency Plan, which gets you ready in case of some form of disaster – natural and otherwise. Having information that you cannot reach means it may as well not exist. Our plan addresses each requirement HIPAA specifies to make sure that your information and your organization will survive so that your staff can continue their vital work.

Should the day ever come when you are faced with an OCR Audit or investigation, we can help get you ready. When you receive a notification, we go to work to determine what steps must be taken and what is needed to answer their requests and get it all ready. We cover the process and outline potential risks so that you can plan your actions accordingly with your Legal Counsel.

When you couple this framework with the Supremus Group HIPAA Professional Certification Training, you bring everything together to equip your organization to meet any HIPAA Compliance challenge: the right documentation, the right expertise, the right program. Our professional certification program ties them all together. You can find our training program at

Contact us today or email us at for a no-obligation consultation to give you the best solution to meet your HIPAA compliance needs.

USER RATING: HIPAA Security Policies is rated 4.8 out of 5 by 1370 users.