Sample policies and procedures

This sample policy defines patients' right to access their Protected Health Information (“PHI”) and sets forth the procedures for approving or denying patient access requests.  

Download here. 

This sample policy describes a covered entity's obligation to account for known disclosures of patients’ PHI, patients’ right to receive an accounting of the disclosures of their PHI, and the process for responding to patient requested for an accounting of disclosures made by the covered entity.

Download here. 

This sample policy is to establish the procedure for making sure a patient’s right to request that communications of PHI be delivered by alternative means or at alternate locations.

Download here.

This sample policy provides a process for responding to patient requests to amend their PHI. 

Download here.

This sample policy sets forth a covered entity's process for the use and disclosure of Protected Health Information (“PHI”) pursuant to a written authorization.

Download here.

This sample policy sets forth the procedures for responding to potential breaches of protected health information. 

Download here.

This sample policy provides a process for establishing written agreements with business associates as required by the HIPAA Privacy Rule.

Download here.

This sample policy establishes procedures to ensure that an effective complaint process is in place to respond to privacy violations.

Download here.

The confidential communication policy should be used to describe the process by which individuals can request and communicate with their physician confidentially through specified means or at specified locations.

Download here.

This sample policy sets forth the process for converting individually identifiable Protected Health Information (“PHI”) into information that no longer reveals the identity of any patient.

Download here. 

The Deceased Individuals Policy describes the circumstances under which the PHI of a deceased individual may be used or disclosed.

Download here.

This sample policy describes the documents that comprise the Designated Record Set.

Download here.

This sample policy sets forth procedures for ensuring that any medium containing PHI is properly destroyed.

Download here.

The Disclosures for Specialized Government Functions Policy describes the circumstances under which PHI may be disclosed to government personnel and agencies for purposes of specialized government functions.

Download now.

The Disclosures for Law Enforcement Policy establishes guidelines for situations in which an entity may disclose protected health information (PHI) for law enforcement purposes without a patient’s authorization or without the patient’s agreement or objection and to describe the requirements that must be met before such disclosures may be made.

Download now.

The Limited Data Set Policy sets forth the process for creating a Limited Data Set as well as the purposes for and circumstances under which a Limited Data Set may be disclosed.

Download now.

This sample policy sets forth procedures for ensuring that marketing and fundraising communications comply with the HIPAA Privacy Rule’s requirements as well as any applicable state laws or regulations. 

Download here.

This sample policy explains how to make sure uses and disclosures of Protected Health Information (“PHI”) comply with HIPAA's minimum necessary rule.

Download here.

This sample policy is designed to ensure that a covered entity's Notice of Privacy Practices complies with HIPAA and is provided to, and acknowledged by, by patients on or before the patient's first date of service. 

Download here.

This sample policy is designed to ensure that the covered entity complies with HIPAA Privacy Rule requirements when using or disclosing PHI after an opportunity to agree or object.

Download here.

This sample policy defines when and what protected health information (“PHI”) may be disclosed to an individual’s personal representative.

Download now.

This sample policy provides guidance on the use and/or disclosure of PHI for research purposes.

Download here.

This sample policy ensures that the covered entity complies with HIPAA Privacy Rule requirements when responding to subpoenas or discovery requests for PHI.  

Download here.

This sample policy provides a process for handling patient requests for restrictions to otherwise permitted uses or disclosures of PHI.

Download here.

This sample policy ensures appropriate retention of Protected Health Information (“PHI”) contained in a Designated Record Set.

Download here.

This policy establishes appropriate sanctions for employees who violate the requirements of the HIPAA Privacy Rule and/or a covered entity's HIPAA privacy policies and procedures.

Download here.

This sample policy ensures that a covered entity's uses and disclosures of PHI are consistent with applicable laws, regulations, and health information standards.

Download here.

This sample policy ensures that PHI is disclosed only to appropriate persons in accordance with the requirements of the HIPAA Privacy Rule.

Download here.

This sample policy describes the circumstances under which workforce members who are whistleblowers or victims of a crime may make disclosures of protected health information.

Download now.

This sample policy establishes the standards for disclosing an individual’s PHI for purposes of complying with workers’ compensation laws. 

Download now.