I was given a HIPAA compliance policy manual and asked to review it, propose revisions, and explain my reasoning.

The manual belonged to NAIPTA, the Northern Arizona Intergovernmental Public Transportation Authority and was adopted in April 2017. While it demonstrates a solid foundational commitment to HIPAA compliance, it is now approaching nearly a decade old.

It was last updated April 19, 2017. Almost eight years have passed, during which the HHS Office for Civil Rights has issued updated guidance, the 2013 Omnibus Rule has been in full effect, and proposed modifications to the HIPAA Privacy Rule were introduced in 2021. None of that was reflected in this manual.

My review identified substantive gaps, outdated provisions, technical errors, and structural weaknesses, as well as areas where the plan falls short of current regulatory expectations and best practices. I proposed revisions across seven categories, but four findings stood out to me as the most significant.

No remote work or mobile device policy

An organization operating in 2026 cannot have a HIPAA compliance program that does not address remote work. HHS has published multiple cybersecurity bulletins on mobile device security and OCR has investigated and settled numerous cases involving lost or stolen unencrypted devices.

Original manual:

NAIPTA HIPAA manual table of contents, page one NAIPTA HIPAA manual table of contents, page two NAIPTA HIPAA manual table of contents, page three

Proposed changes: Proposed remote work and mobile device policy additions

“Employees” vs. “individuals”

HIPAA’s Privacy Rule was designed to protect the PHI of patients receiving health care services, not just employees of a covered entity. Throughout this manual, NAIPTA refers to the subjects of PHI as “employees,” which is confusing and potentially limiting given NAIPTA’s role as a covered entity that may handle PHI of individuals beyond its own workforce.

Original manual: NAIPTA authorization table using employee as the category label

Proposed changes: Proposed revision replacing employee with individual terminology

A weak Business Associates policy

The Business Associates Policy is among the weakest sections in the manual. It is very brief and lacks substantive guidance. The 2013 Omnibus Rule substantially expanded Business Associate obligations, and the manual does not address required BAA elements under 45 CFR Section 164.504(e)(2).

Original manual: Original NAIPTA Business Associates policy section

Proposed changes: Proposed Business Associates policy additions

Missing protections for special categories of PHI

Substance use disorder records are governed not only by HIPAA but also by 42 CFR Part 2, which imposes significantly more restrictive confidentiality protections. Mental health records have additional protections under Arizona law (A.R.S. Section 36-509), HIV/AIDS information is subject to heightened requirements under A.R.S. Section 36-664, and genetic information is protected under GINA and 45 CFR Section 164.514(f).

Original manual: NAIPTA authorization table rows for psychiatric, substance use, and HIV/AIDS categories

Proposed changes: Proposed special categories of PHI policy additions

The NAIPTA HIPAA Compliance Policy Manual demonstrates a genuine organizational commitment to HIPAA compliance and covers many required elements in reasonable detail. The primary concerns with the current version are its age, several significant compliance gaps, and a handful of factual errors. Addressing these issues would better align the manual with current regulatory requirements and OCR enforcement priorities.