How to Create a Written Information Data Security Plan


Are you worried about the security of sensitive information in your practice? Do you want to ensure that your patients’ data is protected from potential threats? Look no further because creating a Written Information data security plan (WISP) is essential for safeguarding confidential data. 

In this blog post, we will guide you through all the necessary steps and provide expert tips on how to create an effective WISP for your practice. So, buckle up and get ready to enhance the security of your healthcare business!

What is a Written Information Security Plan?

A Written Information Security Plan (WISP) is a document that outlines the security measures taken to protect electronic health information. The plan should address physical, technical, and administrative safeguards.

The purpose of a WISP is to prevent unauthorized access, use, disclosure, or destruction. A WISP can help covered entities comply with the HIPAA Security Rule and avoid potential fines and penalties.

To create a WISP, covered entities should start by assessing their risks. They should then develop policies and procedures based on those risks. The policies and procedures should be reviewed and updated regularly.

Covered entities should train their employees on the WISP and make sure they understand their roles in protecting ePHI. They should also have procedures in place to deal with security incidents.

Why do you need a Written Information Security Plan?

Your practice needs a Written Information Security Plan (WISP) to protect patient data and other confidential information from unauthorized access or disclosure. A WISP outlines the administrative, physical, and technical safeguards in place to secure electronic protected health information (ePHI).

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities, such as healthcare providers, to have a WISP. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA compliance and may impose hefty fines for failure to comply with the law.

Creating a WISP is not difficult, but it does require some time and effort. Here are some tips to get you started:

1. Assign someone to oversee your WISP. This person will be responsible for ensuring that the plan is up-to-date and comprehensive.

2. Conduct a risk assessment. This will help you identify potential threats and vulnerabilities so you can address them in your WISP.

3. Implement security measures. These could include encryption, firewalls, password protection.

What should be included in a Written Information Security Plan?

A Written Information Security Plan (WISP) should include a detailed description of your practice’s security procedures and protocols. It should identify the physical, technical, and administrative safeguards in place to protect patient information. The WISP should also include a risk assessment of your practice’s vulnerabilities and a plan for responding to security incidents.

How to create a Written Information Security Plan

Assuming you have already completed a risk assessment and know what HIPAA requires, you can start creating your own Written Information Security Plan (WISP). This should be a living document that is updated as your security program changes and grows. At a minimum, your WISP should include:

  • A description of your current security measures.
  • The results of your most recent risk assessment.
  • A gap analysis of where your current security measures fall short and what needs to be improved.
  • A plan for implementing new security measures, including timelines and budget considerations.
  • Regular review and update cycles for your WISP based on changes in your practice, new threats, or other factors.

While it may seem daunting to create a WISP from scratch, there are many templates and resources available online to help you get started. Once you have a basic framework in place, you can tailor it to fit the specific needs of your practice.

Understand the Components of a WISP

In order to create a Written Information Security Plan (WISP), it is important to understand the components of a WISP. The eight components of a WISP are:

1. Introduction: This section should provide an overview of the purpose and scope of the WISP.

2. Security Policy: The security policy is the foundation of the WISP and should outline the overall security goals and objectives for the organization.

3. Risk Assessment: A risk assessment should be conducted to identify potential threats and vulnerabilities faced by the organization.

4. Business continuity/disaster recovery plan: A business continuity/disaster recovery plan outlines how the organization will maintain critical operations in the event of an interruption.

5. Employee training and awareness: Employees should be trained on security procedures and made aware of their role in protecting organizational information assets.

6. Physical security: Physical security measures should be put in place to protect organizational information assets from unauthorized access or destruction.

7. Technical security: Technical security measures, such as firewalls and intrusion detection systems, should be implemented to protect organizational information assets from unauthorized access or destruction.

8. Monitoring and review: The WISP should be monitored and reviewed on a regular basis to ensure that it is effective in meeting its objectives.

Create your policies and procedures

In order to develop adequate policies and procedures for your Written Information data security plan, you will need to consider the size and type of your practice, the amount of information you maintain, and how that information is used. 

You will also need to consult with other members of your practice to get their input on what policies and procedures would work best for your organization. Once you have developed a draft of your policies and procedures, you should have them reviewed by a qualified security professional to ensure that they are comprehensive and effective.

Maintain and update your plan regularly

It is important to keep your Written Information Security Plan (WISP) up to date in order to ensure the security of your patient information. You should review and update your WISP at least annually, or more often if there are changes to your practice that could impact the security of your data.

When updating your WISP, be sure to consider any new threats or risks that may have emerged since you last updated your plan. For example, if you have added new technology to your practice, you will need to update your WISP to reflect the new risks associated with that technology. Additionally, if you have experienced any data breaches or other security incidents, you will need to update your WISP to address those vulnerabilities.

In addition to reviewing and updating your WISP on a regular basis, you should also train your staff on the latest security procedures. This will help ensure that everyone in your practice is aware of the importance of protecting patient information and knows how to properly handle sensitive data.


Creating a Written Information data security plan for your practice is essential to ensure the security of confidential data and maintain HIPAA compliance. By following the guidelines outlined in this article, you can create an effective plan that will meet all of your needs. 

Don’t forget to review and update the plan periodically to make sure it is up-to-date with any new technologies or regulations. With a well-crafted Written Information Security Plan in place, you can rest assured that your practice’s sensitive information is safe and secure.

Leave a Reply