HIPAA Privacy Policy
- PURPOSE
[List the objectives for this privacy policy.]
- SCOPE
- This policy applies to all organization’s employees, management, contractors, student interns, and volunteers.
- This policy describes the organization’s objectives and policies regarding maintaining the privacy of patient information.
- [If your organization is exempt, discuss your organization’s desire to become compliant as a “trusted partner” of HIPAA-covered entities.]
- REFERENCES [Below, list your organization’s policies, procedures, and statements that affect the privacy and confidentiality of client health information. To delete this text, click it and then press Delete.]
- [Policy, procedure, or statement]
- [Policy, procedure, or statement]
- [Policy, procedure, or statement]
- [Policy, procedure, or statement]
- [Policy, procedure, or statement]
- [Policy, procedure, or statement]
- [List other organization policies or procedures that address the management of client health information.]
- DEFINITIONS [Below, list terms and definitions relevant to HIPAA privacy policy for your organization. To delete this text, click it and then press Delete.]
Term: [Term #1]
Definition: [Definition #1]
Term: [Term #2]
Definition: [Definition #2]
Term: [Term #3]
Definition: [Definition #3]
Term: [Term #4]
Definition: [Definition #4]
- RESPONSIBILITIES
- Executives/Management
1) Establish program objectives
2) Approve privacy policy
3) Provide training for work force
4) Enforce sanctions
5) Designate Privacy Official
- Privacy Official
1) Develops privacy policies and procedures
2) Coordinates and implements policy through organization’s departments
3) Oversees training
4) Receives and processes privacy complaints
5) Processes individual rights requests
a) Right to access/copy protected health information (PHI)
b) Right to amend PHI
c) Right to restrict use/disclosure
d) Right to confidential communications
e) Right to an accounting of disclosures
f) Right to file a complaint
6) Ensures retention of HIPAA policies and procedures, complaints, and investigative materials to meet compliance requirements.
- Legal Counsel (or Privacy Official)
1) Processes Business Associate Agreements (BAA)
a) Conducts business associate inventory
b) Develops and coordinates BAA template
c) Conducts annual review/update
- Corporate Compliance Officer
1) Assists in development and execution of the HIPAA Privacy Policy and promulgation of operating procedures
2) Assists and supports the Privacy Official
3) Provides support for HIPAA compliance activities
- Medical Records Director
1) Implements organization’s privacy policy for medical records
2) Provides administrative and physical safeguards for the protection of client health information
- Director, Training
1) Develops and implements privacy training program as described in Section 11 of this policy
2) Documents the delivery of privacy training to all work force members
- Employee responsibilities
1) Understand and comply with organization’s policies regarding patient confidentiality and privacy
- DESIGNATED RECORD SET [Below, define the PHI repositories in your organization. To delete this text, click it and then press Delete.]
- [Repository]
- [Repository]
- [Repository]
- NOTICE OF PRIVACY PRACTICES (NPP) [Below, list your organization’s policy and approach to developing and issuing an NPP to patients. To delete this text, click it and then press Delete.]
- [Policy and approach]
- [Policy and approach]
- The organization will make a “best effort” attempt to receive acknowledgment of receipt of NPP from each patient and document such in the patient’s medical record.
- MINIMUM NECESSARY POLICY [Below, list your organization’s policy for limiting access and distribution of PHI based on the minimum necessary to permit essential business functions to operate. To delete this text, click it and then press Delete.]
- [Policy]
- [Policy]
- [Policy]
- USE AND/OR DISCLOSURE OF PROTECTED HEALTH INFORMATION
- Routine uses: [Describe organization’s routine uses of PHI. This should correspond to the uses cited in NPP.]
1) Treatment, Payment and Operations: [Describe organization’s functions for which authorization is not required.]
- Process for disclosing client information: [Describe organization’s process for allowing external disclosure of client information.]
- Personal representatives
1) [Describe how organization determines or identifies a Personal Representative.]
2) Minors’ rights: [Reference the specific state law that grants to minors their rights to access their PHI.]
- INDIVIDUAL RIGHTS [Below, list your organization’s procedures for handling individual HIPAA rights requests. To delete this text, click it and then press Delete.]
- Right to access/copy PHI: [Procedure]
- Right to amend PHI: [Procedure]
- Right to restrict use or disclosure: [Procedure]
- Right to confidential communications: [Procedure]
- Right to an accounting of disclosures: [Procedure]
- Right to file a complaint: [Procedure]
- SAFEGUARDS FOR THE PROTECTION OF PHI [Below, list the safeguards your organization has put in place for the protection of PHI. To delete this text, click it and then press Delete.]
- Administrative safeguards: [Safeguard]
- Physical safeguards: [Safeguard]
- Technical safeguards: [Safeguard]
- WORK FORCE TRAINING
- [Describe your organization’s privacy training program.]
1) New staff member training: [Describe the training program]
2) Recurrent training: [Describe the training program]
3) Special function training: [Describe the training program]
- [Identify privacy training program content.]
- BUSINESS ASSOCIATE AGREEMENTS
- [Describe your organization’s process for developing and executing Business Associate Agreements (BAA).]
- EMPLOYEE COMPLAINTS
- [Describe the process for employee-generated privacy complaints regarding your organization’s policies and processes for managing PHI]
- SANCTIONS
- [State your organization’s policy for addressing employee violations of its privacy policy.]