Develop a HIPAA privacy policy

By Steve Giesecke

Most medical administrators have grappled with the issue of developing a HIPAA-compliant privacy policy. They have either developed a policy themselves or delegated the task to a staff member, possibly a medical group records administrator or hospital privacy official.

But some administrators have not yet tackled this challenge for a number of reasons. Possibly their organizations were previously exempt from compliancy because they did not file electronic claims, a prerequisite for classification as a provider under the HIPAA guidelines. Possibly the organizations were programmatically exempt, such as a workers' compensation carrier or workers' compensation supporting organization. Other previously exempt organizations may have experienced a "privacy incident" involving the inadvertent disclosure of protected health information (PHI), which motivated the organization to "reach for compliance." Still other organizations have recognized the need to implement basic privacy procedures in an increasingly interactive healthcare arena where mutual trust — supported by data sharing agreements — governs the exchange of electronic health information.

Getting on the compliance bandwagon

Whatever the case, some of these organizations have decided that it's time to get on the compliance bandwagon. Organizations that are already qualified as HIPAA-covered entities may have realized that it's time to streamline and simplify their collection of privacy policies and collapse them into a single policy — a policy that staff members might actually read and reference in their daily tasks.

This article describes the basic content that should go into a HIPAA-compliant privacy policy. The article outlines the "minimum necessary" privacy practices that achieve compliance and provides a framework for privacy training for a medical group or other healthcare facility. Compiling a simplified presentation of HIPAA privacy is easier said than done because the complete final privacy rule is some 900 pages long! However, there are ways to divide this lengthy tome into "easy to consume" sections that together can form the basis for a working, practical policy.

HIPAA privacy requirements and considerations

A covered entity (CE) must implement — in written or electronic form — policies and procedures with respect to PHI that are designed to comply with the standards, implementation specifications, or other requirements of the privacy rule that defines the standards to protect an individual's health information.

HIPAA privacy requirements and considerations are included in the following table. By stating the requirement and addressing the considerations specific to your organization, you can compile a complete yet straightforward privacy policy for your practice setting.

Note that the table also includes a reference to where a specific requirement is located in the HIPAA privacy policy template, which you can download to help you develop — with nominal customization — a privacy policy for your organization.

Requirement Considerations Section in template
Privacy Official     An individual who is designated by a CE. The Privacy Official is responsible for developing and implementing privacy policies and procedures for the CE. A CE must also appoint someone responsible for receiving privacy-related complaints. In a small practice setting, the senior medical records technician can, with appropriate training, fill this role. In larger provider settings, such as hospitals, the compliance officer may be assigned this responsibility. In either case, the Privacy Official must have the authority and support commensurate with the significant responsibility of this position. 5.b
Designated Record Set (DRS)     Repositories of PHI that the CE must designate in writing. DRSs become the repositories of PHI that patients can access, amend, or restrict access to in exercising their individual rights. So, it's important that this is carefully articulated in the policy. This can be as simple as designating your hard-copy medical record files and any electronic PHI datasets to be the DRS. 6
Notice of Privacy Practices (NPP)     An individual has a right to adequate notice of the uses and disclosures of PHI that may be made by the CE, and of the individual's rights and the CE's legal duties with respect to PHI. An NPP is provided in paper format unless the patient agrees to accept it electronically (such as e-mail); an NPP is also posted on the CE's Web site, if one is available. If the CE is part of an organized healthcare delivery system, a joint notice can be distributed. A "best effort" attempt at receiving acknowledgment from patients must be documented. 7
Minimum necessary (general)     Limit releases of PHI to the "minimum necessary" to accomplish the purpose of the disclosure (except for treatment purposes).

Minimum necessary standards define the use and disclosure of PHI. CEs are to make "reasonable efforts" to limit use and disclosure to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

This standard does not apply to disclosures between providers for treatment purposes. Nor does it apply to the exchange of information between providers and health plans for treatment, payment, or healthcare operations. The CE sending the PHI determines the minimum necessary. Thus, the privacy rule allows providers and health plans (not the patients) to define the minimum necessary.

Implementation specifications include:

  • Not disclosing the entire medical record to meet a request —unless treatment-based or required by law — if a portion of the record will suffice.
  • Developing and applying criteria for nonroutine disclosures to help ensure the organization's minimum necessary policy is achieved.
Minimum necessary (implementation)     For each staff position, or class of positions, a CE must identify which positions need access to PHI to carry out the duties of those positions. The CE must also identify the categories of PHI to which access is needed. A CE must limit access to PHI to just those individuals that require such access.

For a streamlined implementation of "minimum necessary," list all the positions (multiple staff members can be assigned to one role or position) in the organization and list which PHI datasets they have access to.

Tip    Use an Excel worksheet to help you support this task. List positions down the left column and list datasets across the top row. Type X in the cells corresponding to the datasets that the respective position has access to.

Use this worksheet as a tool when assigning systems and medical file access for staff members assigned to these positions.

Treatment, Payment, or Operations (TPO)     A CE may use or disclose PHI for its own treatment, payment, or healthcare operations.

Authorizations for release of information are not necessary for TPO-based uses of PHI.

Examples of a CE's TPO "routine" uses of PHI should be outlined in the NPP.

Specific authorization required for disclosures or uses of psychotherapy notes and for marketing purposes.

While your prevailing state law may be more stringent, HIPAA expressly requires a patient's authorization for only two kinds of disclosures:

  • Psychotherapy notes, which are narrowly interpreted as the therapist's personal notes and/or a memory-jogger.
  • Any personal health information contemplated for marketing purposes. Exercise caution when using any PHI for marketing or sales purposes.

Review your authorization/release form, and include it as an attachment to your privacy policy.

 Note   Providers may use limited patient information without patient authorization for their own fundraising activities and for fundraising activities by related foundations. However, exercise caution when using any patient information for fundraising purposes. The best advice is not to do it. If you have to use patient information for fundraising purposes, consult your attorney.


Uses and disclosures for which an authorization or opportunity to agree or object is not required.

The exceptions presented in the column to the right have their own exceptions in the rule, but you can list them in your privacy policy in the same way that they are presented here. Any questions should be directed to your Privacy Official.

The following is a list of exceptions when authorization is not required:

  • Uses and disclosures required by law
  • Uses and disclosures for public health activities
  • Disclosures about victims of abuse, neglect, or domestic violence
  • Uses and disclosures for health oversight activities
  • Disclosures for judicial, administrative, and investigative proceedings
  • Disclosures for law enforcement purposes
  • Uses and disclosures about decedents
  • Uses and disclosures for research purposes
  • Uses or disclosures to avert a serious threat to health or safety
  • Uses for specialized government functions, including for military purposes
  • Disclosures for workers' compensation
State law preemption and minors' rights

HIPAA preempts conflicting state law. However, if state law is more stringent than HIPAA without presenting a conflict, state law takes precedence.

HIPAA generally defers to state law regarding minors' rights issues with respect to the disclosure of minor's PHI.

Research prevailing state law on minors'rights (such as age of maturity), and include this information in your privacy policy.

Patient right to access health information     Your privacy policy must describe your organization's procedures for addressing a patient's request regarding his or her health information. Patients have the right to access, inspect, and copy the PHI that is used to make decisions about them. Note that this does not include an automatic right to access certain types of data (such as psychotherapy notes or information compiled for court-related proceedings). 10
Patient right to request amendment of health information.

Patients have the right to request amendment of their health information.

This may be denied by the CE if information is deemed accurate, complete, or wasn't created by the CE.

Patient right to request restriction of uses and disclosures. CEs are not required to approve a request to restrict, but if they do, they must abide by them except in emergencies. 10.c
Patient right to alternative methods or locations for receiving confidential communications on patient's health information. Such requests may mean the patient is under domestic duress. Providers must comply with reasonable requests, but payers are not required to comply unless the individual claims endangerment. 10.d
Patient right to an accounting of disclosures of health information for purposes other than treatment, payment, and healthcare operations, except if related to national security, law enforcement, or similar reasons.

Patients have the right to an accounting of disclosures of their PHI made during the past six years or back to April 14, 2003, whichever date is more recent.

Too many exceptions apply to this provision for them to be listed here. Please see section 164.512 of the HIPAA privacy rule for a list of exceptions, and incorporate these into your privacy policy.

Patient right to complain.

A CE must provide a clear process (and contact person) for individuals to make complaints concerning the CE's privacy policies and procedures.

You should also include in your NPP the right of the patient to complain to the U.. Department of Health and Human Services.

Safeguards     A CE must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

Work with the senior IT security manager to identify those administrative, physical, and technical safeguards applied to hard-copy and electronic PHI.

Also, identify staff responsibilities for maintaining these safeguards.

Training     A CE must train all members of its work force on the policies and procedures with respect to the CE's management of PHI. This training must be documented. New staff members must be trained within a reasonable amount of time after joining the organization. Existing staff members must receive appropriate training if their duties regarding PHI change appreciably. 12

Business associates     CEs must have a written agreement with business associates that specifies that the latter will appropriately safeguard health information that the CE discloses to them. Business associates include those business partners with whom you exchange PHI. This often includes agencies that perform the following functions on your behalf:

  • Claims processing or administration
  • Data analysis, processing, or administration
  • Utilization review
  • Quality assurance
  • Billing
  • Benefit management
  • Practice management
  • Repricing services

CEs are held responsible for business associates' HIPAA violations if the CEs were aware of violations and didn't take reasonable steps to address them.

Review your Business Associate Agreement (BAA) template for adequacy and completeness.

Complete a review of your subcontractors to see which should receive a BAA.

Whistleblower provision     A CE will not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals who exercise any right under the HIPAA privacy rule, including filing a complaint. This provision is self-explanatory; you can include verbatim the content in the left column in your policy. Be sure to replace "CE" with your organization's name. 14
Sanctions     A CE must have a policy for imposing disciplinary sanctions on employees who violate HIPAA privacy requirements. Include a graduated approach for dealing with staff members who violate your privacy policy; for example, for the first unintentional violation of an organizational privacy policy, the employee will receive verbal counseling and remedial training. 15

Using the template to develop a HIPAA privacy policy

Use the sample template to develop a comprehensive HIPAA-compliant privacy policy. You can use this template to include the content related to the compliance requirements described in the preceding table.

Keep your privacy policy simple and straightforward. If more detail is needed, develop desk references and operating instructions for the appropriate departments in your organization. Be sure to add or customize the content in the template according to the particular activities of your practice setting. Consider using the references from the table that makes sense for your healthcare organization.

 Tip   Where applicable, you can copy content from the Considerations column in the preceding table when creating your privacy policy.

About the author     Steve Giesecke is a health systems IT consultant with extensive experience in regulatory compliance, business and technology analysis, security and risk assessment, medical claims systems and processes, and software development project management. Steve is the former Deputy CIO for the U.S. military health system responsible for an annual information technology program of $500 million. With two decades of experience as a healthcare administrator, he has served as a CEO and COO of four federal medical facilities, and as the CIO of a tertiary care medical center.

Applies to:
Word 2003