Employee Privacy Policy

Is an Employee Privacy Policy (EPP) Required by HIPAA?

Is an Employee Privacy Policy (EPP) Required by HIPAA?


by Jim Moore        11/16/2020

Employee Privacy Policy

Is an Employee Privacy Policy (EPP) required?

Yes. An Employee Privacy Policy is a HIPAA-required document.

Lee Slaton, Smart Training’s Vice President of Healthcare, writes that signed Employee Privacy Policies “can be get-out-of-jail-free cards in worst-case scenarios.”

An Employee Privacy Policy informs and educates employees about their role in protecting patient privacy and health information. However detailed the document may be, it is not a substitute for HIPAA training. You should have both in place.

What should come before the Employee Privacy Policies?

Employee Privacy Policies are one of the last elements in a chain of proactive processes that help ensure the security of patient information. Here’s the order of processes:

Most Practice Owners never conduct routine background checks on current or prospective employees. This is like letting the fox into the henhouse. Avoid assuming you “know” someone you hired. Play it safe instead.

The State Department of Public Safety has, for the past several years, offered $3 ‘arrest checks’ which don’t really probe too deeply into someone’s history, but they are better than nothing at all. I always recommend Sterling Check for background checks; their number is 800-899-2272.

A note on HIPAA employee training: One of the real steps forward with Texas House Bill 300 was the requirement that employees be trained at time of hire on patient privacy. Texas Senate Bill 1609 watered this down to within 90 days of hire.  

A final word: There have been cases where hired healthcare employees turn out to be in a data theft ring. These employees get jobs solely to access and steal protected health information (PHI). PHI is extremely valuable, and Practice Owners aren’t immune to the threat of criminal employees.

Is an Employee Privacy Policy the same as a Notice of Privacy Practices?

The Employee Privacy Policy is not a substitute for a Notice of Privacy Practices. The two are different documents, both in terms of content and scope. The Notice of Privacy Practices should explain in plain language what patients can expect with regard to privacy and treatment of their PHI. The Employee Privacy Policy is a document that ensures your employees understand their responsibilities to protect PHI. 

What should I do with Employee Privacy Policies?

Ask employees to read the Employee Privacy Policy, then sign the document and return it to you. You may wish to have employees initial each page to indicate they’ve read the content and understand it.

Provide the employee with a copy of the document they have signed, then file the original. Ideally, you should maintain a file containing only signed copies of the Employee Privacy Policy and HIPAA training certification.

What should I include in the Employee Privacy Policy?

Here are some topics to include brief information about in your Employee Privacy Policy:

  • Notice of Privacy Practices
  • Assigning privacy and security responsibilities
  • Deceased individuals
  • Minimum necessary use and disclosure of PHI
  • Marketing activities
  • Privacy complaints 
  • Prohibited activities
  • Responsibility
  • Verification of identity
  • Mitigation
  • Safeguards
  • Business associates
  • Training and awareness
  • Material change
  • Sanctions
  • Retention of records
  • Regulatory currency
  • Cooperation with regulatory agencies
  • Investigation and enforcement

What if I need help writing my Employee Privacy Policy?

If you need help writing your Employee Privacy Policy, Smart Training’s Dental Platinum+, Dental Essentials, and Complete Medical Compliance packages provide you with these documents.

With these packages, you will also receive HIPAA-certified employee training modules. Our learning management system (LMS) automatically documents your employee HIPAA training and creates certifications. You can store these certifications with your Employee Privacy Policies.

If you don’t have either of these plans, request a demo with a Compliance Officer.

Trusting Smart Training is like putting your HIPAA compliance on autopilot.

Smart Training
820 W Spring Creek Pkwy, Ste 400-R Plano, Tx 75023