Compliance
How to Create HIPAA-Compliant SOPs: A Step-by-Step Guide
HIPAA doesn't just require you to have security controls — it requires you to document them. The Privacy Rule and Security Rule both mandate that covered entities implement written policies and procedures. An SOP is how you prove that your controls are not only in place but consistently followed. Without documented procedures, an auditor has no basis to confirm compliance, and your organization has no way to train staff uniformly. This guide walks through exactly what goes into a HIPAA-compliant SOP, what to keep out, and how to record healthcare workflows safely.
What Makes an SOP "HIPAA-Compliant"
A common misconception is that a "HIPAA-compliant SOP" is an SOP about HIPAA. It isn't. A HIPAA-compliant SOP is any standard operating procedure that, when followed, helps your organization satisfy a specific HIPAA requirement. HIPAA's Security Rule organizes requirements into three safeguard categories, each of which needs documented procedures:
- →Administrative safeguards — Workforce training procedures, security awareness programs, access authorization workflows, sanction policies for violations, and contingency plan testing.
- →Physical safeguards — Workstation use policies, device disposal and re-use procedures, facility access controls, and visitor management.
- →Technical safeguards — Login and logout procedures, audit control configuration, automatic logoff settings, and encryption key management.
The Office for Civil Rights (OCR) expects each covered entity to maintain written documentation for all implemented specifications and to retain that documentation for six years from creation or last effective date.
What to Include in a HIPAA SOP
A HIPAA SOP should function as a self-contained reference. An auditor or a new employee reading the document should understand exactly what to do without asking anyone. Required fields:
| Field | What to Include |
|---|---|
| Title | Specific, action-oriented (e.g., "EHR Login and Logoff Procedure") |
| HIPAA reference | The CFR section satisfied (e.g., 45 CFR 164.312(a)(2)(iii)) |
| Scope | Which roles this SOP applies to |
| Procedure steps | Numbered, sequential, no ambiguity |
| Version & review date | Date created, date last reviewed, next review date |
| Approver | Name and title of the person who approved this version |
What to Never Put in a HIPAA SOP
The SOP document itself must not become a PHI exposure risk. Avoid these common mistakes:
- →Real patient examples. Never use actual patient names, MRN numbers, diagnoses, or test results to illustrate a workflow step — even in screenshots. Use synthetic or masked test data.
- →System credentials. SOPs sometimes include login URLs but should never include usernames, passwords, or shared credentials. These belong in a password manager, not a document.
- →Unredacted screenshots. If your SOP includes screenshots from an EHR or patient portal, any visible patient data in those screenshots makes the SOP itself a PHI-containing document, subject to all HIPAA controls.
This last point is where most healthcare teams run into problems when using screen recorders to create SOPs. General-purpose tools do not detect PHI in screenshots — they capture whatever is on screen. The SOP ends up containing PHI, and now you have a distribution and access control problem for the document itself.
The Documentation Gap in Healthcare
Most healthcare organizations have written SOPs. Far fewer have SOPs that reflect how staff actually work. The gap between what's written and what's practiced is called the documentation gap, and it's the root cause of most audit findings related to procedure compliance.
The gap develops because writing SOPs from memory is slow and inaccurate. Staff document what they think the process is, not what they actually do. New features get added to clinical systems, workarounds get discovered, and nobody updates the SOP. Within 12 months, the document and the practice have diverged. Recording the actual workflow click-by-click as it happens is the most reliable way to close this gap — the documentation reflects reality because it was captured from reality.
How to Record Healthcare Workflows Without Capturing PHI
The right approach is to record with a tool that handles PHI detection automatically. When evaluating a workflow recorder for HIPAA SOP documentation, look for:
- →Local-only storage. Workflow data, screenshots, and exports should never leave the device. If the tool transmits recordings to a cloud server, that transmission is a covered electronic PHI (ePHI) event requiring safeguards and potentially a BAA with the vendor.
- →Automatic field redaction. Password fields, credit card numbers, SSNs, and other sensitive patterns should be detected and replaced with placeholders before storage — not after.
- →Encryption at rest. The recording database on the device should be encrypted, covering the case where a device is lost or shared.
- →Consent logging. HIPAA's workforce training and access requirements are easier to satisfy when the tool captures a consent timestamp before each recording session.
Claudia records browser workflows locally using AES-256-GCM encryption. No data leaves the device during recording. Sensitive fields are redacted before storage. A consent prompt captures acknowledgment before every session, and an audit log tracks every create, export, and delete event with a timestamp. For healthcare teams documenting EHR workflows, patient portal training, or billing procedures, this architecture is designed to avoid creating new HIPAA obligations from the act of documentation.
One important note: covered entities are still responsible for executing a BAA with their own IT environment where relevant. Because no workflow data is transmitted to Claudia's servers, using Claudia for recording is designed to avoid creating a Business Associate relationship — but your organization's compliance program should validate this interpretation and still governs who can access the recorded SOPs.
Keeping HIPAA SOPs Audit-Ready
A HIPAA SOP that exists but can't be produced during an audit is the same as no SOP. Audit readiness means:
- →Version control. Every revision should have a date, a summary of what changed, and who approved it. Auditors often ask to see the history of a procedure, not just the current version.
- →Annual review. HIPAA requires reviewing and updating documentation periodically, or when environmental or operational changes occur. Build a calendar reminder to review each SOP annually.
- →Acknowledgment records. Document that relevant staff have read and understood each SOP. This is often requested during OCR investigations.
- →Six-year retention. HIPAA requires documentation to be retained for six years from creation or last effective date, whichever is later.
This article is for informational purposes only and does not constitute legal advice. Consult your compliance team or legal counsel to evaluate how Claudia fits within your organization's specific regulatory obligations.
See Claudia's full HIPAA compliance details
Encryption specs, audit log format, consent prompt implementation, and how local-only storage interacts with HIPAA's BAA requirements.
View compliance documentation →Related: How to Write GDPR-Compliant SOPs · FERPA SOP Documentation for Schools · PCI-DSS SOP Requirements