regulation of Medicine
toolkit
The HIPAA Toolkit
August 1, 2019
Sample policies and procedures
Access Policy
This sample policy defines patients' right to access their Protected Health Information (“PHI”) and sets forth the procedures for approving or denying patient access requests.
Accounting of Disclosures Policy
This sample policy describes a covered entity's obligation to account for known disclosures of patients’ PHI, patients’ right to receive an accounting of the disclosures of their PHI, and the process for responding to patient requested for an accounting of disclosures made by the covered entity.
Alternative Communication Policy
This sample policy is to establish the procedure for making sure a patient’s right to request that communications of PHI be delivered by alternative means or at alternate locations.
Amendment of Medical Record
This sample policy provides a process for responding to patient requests to amend their PHI.
Authorization Policy
This sample policy sets forth a covered entity's process for the use and disclosure of Protected Health Information (“PHI”) pursuant to a written authorization.
Breach Notification Policy
This sample policy sets forth the procedures for responding to potential breaches of protected health information.
Business Associates Policy
This sample policy provides a process for establishing written agreements with business associates as required by the HIPAA Privacy Rule.
Complaints Policy
This sample policy establishes procedures to ensure that an effective complaint process is in place to respond to privacy violations.
Confidential Communication Policy
The confidential communication policy should be used to describe the process by which individuals can request and communicate with their physician confidentially through specified means or at specified locations.
De-Identification Policy
This sample policy sets forth the process for converting individually identifiable Protected Health Information (“PHI”) into information that no longer reveals the identity of any patient.
Deceased Individuals Policy
The Deceased Individuals Policy describes the circumstances under which the PHI of a deceased individual may be used or disclosed.
Designated Record Set Policy
This sample policy describes the documents that comprise the Designated Record Set.
Destruction Policy
This sample policy sets forth procedures for ensuring that any medium containing PHI is properly destroyed.
Disclosures for Specialized Government Functions Policy
The Disclosures for Specialized Government Functions Policy describes the circumstances under which PHI may be disclosed to government personnel and agencies for purposes of specialized government functions.
Disclosures for Law Enforcement Policy
The Disclosures for Law Enforcement Policy establishes guidelines for situations in which an entity may disclose protected health information (PHI) for law enforcement purposes without a patient’s authorization or without the patient’s agreement or objection and to describe the requirements that must be met before such disclosures may be made.
Limited Data Set Policy
The Limited Data Set Policy sets forth the process for creating a Limited Data Set as well as the purposes for and circumstances under which a Limited Data Set may be disclosed.
Marketing and Fundraising Policy
This sample policy sets forth procedures for ensuring that marketing and fundraising communications comply with the HIPAA Privacy Rule’s requirements as well as any applicable state laws or regulations.
Minimum Necessary Policy
This sample policy explains how to make sure uses and disclosures of Protected Health Information (“PHI”) comply with HIPAA's minimum necessary rule.
Notice of Privacy Practices Policy
This sample policy is designed to ensure that a covered entity's Notice of Privacy Practices complies with HIPAA and is provided to, and acknowledged by, by patients on or before the patient's first date of service.
Opportunity to Agree or Object Policy
This sample policy is designed to ensure that the covered entity complies with HIPAA Privacy Rule requirements when using or disclosing PHI after an opportunity to agree or object.
Personal Representative Policy
This sample policy defines when and what protected health information (“PHI”) may be disclosed to an individual’s personal representative.
Research Policy
This sample policy provides guidance on the use and/or disclosure of PHI for research purposes.
Responding to Subpoenas Policy
This sample policy ensures that the covered entity complies with HIPAA Privacy Rule requirements when responding to subpoenas or discovery requests for PHI.
Restrictions on Uses and Disclosures Policy
This sample policy provides a process for handling patient requests for restrictions to otherwise permitted uses or disclosures of PHI.
Retention Policy
This sample policy ensures appropriate retention of Protected Health Information (“PHI”) contained in a Designated Record Set.
Sanctions Policy
This policy establishes appropriate sanctions for employees who violate the requirements of the HIPAA Privacy Rule and/or a covered entity's HIPAA privacy policies and procedures.
Uses and Disclosures Policy
This sample policy ensures that a covered entity's uses and disclosures of PHI are consistent with applicable laws, regulations, and health information standards.
Verification Policy
This sample policy ensures that PHI is disclosed only to appropriate persons in accordance with the requirements of the HIPAA Privacy Rule.
Whistleblower and Crime Victim Disclosures
This sample policy describes the circumstances under which workforce members who are whistleblowers or victims of a crime may make disclosures of protected health information.
Workers' Compensation Policy
This sample policy establishes the standards for disclosing an individual’s PHI for purposes of complying with workers’ compensation laws.
Disclaimer
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.