HIPAA Policy and Procedure Templates

policies and procedures.gif
policies and procedures.gif

HIPAA Policy and Procedure Templates


HIPAA Policy and Procedure Templates for Medical Practices

Writing HIPAA policies and procedures is a huge undertaking. Starting from scratch, familiarizing yourself with the regulations (CFRs) could take hours and hours.

Logan Solutions has done most of the work for you. We've reviewed the regulations and written policies--and, in many cases, standard procedures--to make the process much simpler. Use our editable MS Word templates as a starting point, then customize them for practice and save countless hours of research and work.

What's Included

Logan Solutions has written over 90 policies that correspond to the CFRs required by HIPAA.


General authorization:

  1. Disclosures to carry out treatment, payment, and healthcare operations (click to view)
  2. Disclosures for which authorization is not required
  3. Description of requirements for a valid authorization to release PHI
  4. Disclosures for which authorization is required
  5. Authorization requirements for psychotherapy notes
  6. Verification of identity requirements

Uses and Disclosures:

  1. General rules regarding uses and disclosures of PHI (click to view)
  2. Minimum necessary disclosures and requests
  3. Deceased individuals
  4. Personal representatives
  5. Minors
  6. Confidential communications
  7. Whistleblowers and crime victims
  8. Opportunity to agree or object
  9. Opportunity to request special privacy restrictions
  10. Accessed minute individual to PHI
  11. Accounting of PHI disclosures
  12. De­identification of PHI
  13. Meeting legal requirements
  14. Cooperating with public health activities
  15. Clinical trials
  16. Health oversight activities
  17. Complying with judicial and administrative proceedings
  18. Complying with law enforcement
  19. Version of a serious threat
  20. Complying with specialized treatment functions
  21. Marketing and fundraising
  22. Amendments of PHI
  23. Notice of privacy practices regarding PHI
  24. Consent, authorization, or opportunity to agree or object not required

Administration of Policies and Procedures:

  1. Privacy officer (click to view)
  2. Internal complaints
  3. Protection of right to complain
  4. Investigation, mitigation and remediation of violations
  5. Employee sanctions for violations
  6. Privacy training programs
  7. Documentation and retention
  8. Notice of privacy practices
  9. Special privacy protections
  10. Amendments to PHI
  11. Business associates
  12. Monitoring and self­auditing program



  1. Security management (click to view)
  2. Risk analysis
  3. Risk management
  4. Sanction policy
  5. Information system activity review
  6. Assigned security responsibility
  7. Employee security
  8. Authorization and/or supervision
  9. Employee clearance procedures
  10. Termination procedures
  11. Information access management
  12. Isolating healthcare clearinghouse functions
  13. Access establishment and modification
  14. Security awareness training
  15. Security reminders
  16. Protection from malicious software
  17. Log­in monitoring
  18. Past management
  19. Response and reporting
  20. Disaster recovery plan
  21. Data backup plan
  22. Data restoration
  23. Emergency mode operation plan
  24. Testing and revision procedure
  25. Applications and data criticality analysis
  26. Periodic security evaluation
  27. Business associate agreements


  1. Facility access controls (click to view)
  2. Contingency operations
  3. Facility security plan
  4. Access control and validation procedures
  5. Maintenance records
  6. Workstation use
  7. Workstation security
  8. Device and media controls
  9. Device and media disposal
  10. Device and media re­use
  11. Device and media accountability
  12. Device and media data back up and storage


  1. Access control (click to view)
  2. Unique user identification
  3. Emergency access procedure
  4. Automatic log­off
  5. Encryption and decryption
  6. Audit controls
  7. Protecting ePHI integrity
  8. Corroborating ePHI integrity
  9. Person/entity authentication
  10. Transmission–integrity controls
  11. Mechanisms to authenticate e­PHI
  12. Transmission encryption
Add To Cart

Use and Disclaimer

Use of the policies and procedures (Product) is limited to a single organization with whom the purchaser is affiliated. Product may not be resold or given to another party, except with the written consent of Logan Solutions.

Customer assumes all liability for use of Product. Logan Solutions assumes no responsibility for the contents, before or after customization or alteration by customer or any other party.

Purchase of the Product indicates acceptance of these terms.