regulation of Medicine

toolkit

The HIPAA Toolkit

Sample policies and procedures

Access Policy

This sample policy defines patients' right to access their Protected Health Information (“PHI”) and sets forth the procedures for approving or denying patient access requests.  

Download here. 

Accounting of Disclosures Policy

This sample policy describes a covered entity's obligation to account for known disclosures of patients’ PHI, patients’ right to receive an accounting of the disclosures of their PHI, and the process for responding to patient requested for an accounting of disclosures made by the covered entity.

Download here. 

Alternative Communication Policy

This sample policy is to establish the procedure for making sure a patient’s right to request that communications of PHI be delivered by alternative means or at alternate locations.

Download here.

Amendment of Medical Record

This sample policy provides a process for responding to patient requests to amend their PHI. 

Download here.

Authorization Policy

This sample policy sets forth a covered entity's process for the use and disclosure of Protected Health Information (“PHI”) pursuant to a written authorization.

Download here.

Breach Notification Policy

This sample policy sets forth the procedures for responding to potential breaches of protected health information. 

Download here.

Business Associates Policy

This sample policy provides a process for establishing written agreements with business associates as required by the HIPAA Privacy Rule.

Download here.

Complaints Policy

This sample policy establishes procedures to ensure that an effective complaint process is in place to respond to privacy violations.

Download here.

Confidential Communication Policy

The confidential communication policy should be used to describe the process by which individuals can request and communicate with their physician confidentially through specified means or at specified locations.

Download here.

De-Identification Policy

This sample policy sets forth the process for converting individually identifiable Protected Health Information (“PHI”) into information that no longer reveals the identity of any patient.

Download here. 

Deceased Individuals Policy

The Deceased Individuals Policy describes the circumstances under which the PHI of a deceased individual may be used or disclosed.

Download here.

Designated Record Set Policy

This sample policy describes the documents that comprise the Designated Record Set.

Download here. 

Destruction Policy

This sample policy sets forth procedures for ensuring that any medium containing PHI is properly destroyed.

Download here. 

Disclosures for Specialized Government Functions Policy

The Disclosures for Specialized Government Functions Policy describes the circumstances under which PHI may be disclosed to government personnel and agencies for purposes of specialized government functions.

Download now.

Disclosures for Law Enforcement Policy

The Disclosures for Law Enforcement Policy establishes guidelines for situations in which an entity may disclose protected health information (PHI) for law enforcement purposes without a patient’s authorization or without the patient’s agreement or objection and to describe the requirements that must be met before such disclosures may be made.

Download now.

Limited Data Set Policy

The Limited Data Set Policy sets forth the process for creating a Limited Data Set as well as the purposes for and circumstances under which a Limited Data Set may be disclosed.

Download now.

Marketing and Fundraising Policy

This sample policy sets forth procedures for ensuring that marketing and fundraising communications comply with the HIPAA Privacy Rule’s requirements as well as any applicable state laws or regulations. 

Download here.

Minimum Necessary Policy

This sample policy explains how to make sure uses and disclosures of Protected Health Information (“PHI”) comply with HIPAA's minimum necessary rule.

Download here.

Notice of Privacy Practices Policy

This sample policy is designed to ensure that a covered entity's Notice of Privacy Practices complies with HIPAA and is provided to, and acknowledged by, by patients on or before the patient's first date of service. 

Download here.

Opportunity to Agree or Object Policy

This sample policy is designed to ensure that the covered entity complies with HIPAA Privacy Rule requirements when using or disclosing PHI after an opportunity to agree or object.

Download here.

Personal Representative Policy

This sample policy defines when and what protected health information (“PHI”) may be disclosed to an individual’s personal representative.

Download now.

Research Policy

This sample policy provides guidance on the use and/or disclosure of PHI for research purposes.

Download here.

Responding to Subpoenas Policy

This sample policy ensures that the covered entity complies with HIPAA Privacy Rule requirements when responding to subpoenas or discovery requests for PHI.  

Download here.

Restrictions on Uses and Disclosures Policy

This sample policy provides a process for handling patient requests for restrictions to otherwise permitted uses or disclosures of PHI.

Download here.

Retention Policy

This sample policy ensures appropriate retention of Protected Health Information (“PHI”) contained in a Designated Record Set.

Download here.

Sanctions Policy

This policy establishes appropriate sanctions for employees who violate the requirements of the HIPAA Privacy Rule and/or a covered entity's HIPAA privacy policies and procedures.

Download here.

Uses and Disclosures Policy

This sample policy ensures that a covered entity's uses and disclosures of PHI are consistent with applicable laws, regulations, and health information standards.

Download here.

Verification Policy

This sample policy ensures that PHI is disclosed only to appropriate persons in accordance with the requirements of the HIPAA Privacy Rule.

Download here.

Whistleblower and Crime Victim Disclosures

This sample policy describes the circumstances under which workforce members who are whistleblowers or victims of a crime may make disclosures of protected health information.

Download now.

Workers' Compensation Policy

This sample policy establishes the standards for disclosing an individual’s PHI for purposes of complying with workers’ compensation laws. 

Download now.

Disclaimer

The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.