sample policies (HIPAA)

HIPAA's Privacy Rule and Security Rule both require that a covered entity develop comprehensive information policies...

... with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of [the regulations]. The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to protected health information undertaken by the covered entity, to ensure such compliance.

In other words, while the regulations set what must be covered in such policies, organizations are given leeway to develop specifics that are reasonable and appropriate given their situations.

The following organizations' policies provide examples of approaches to this task:

This list focuses on University-affiliated health care organizations, which tend to be large and for the most part represent the high-complexity end of the spectrum. But even within this group there is considerable variation in the size and intricacy of policies.

The two Workgroup for Electronic Data Interchange (WEDI) reports listed below provide detailed guidance on implementing HIPAA-compliant policies. Many commercial templates are also available, for a fee.

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine