HIPAA POLICIES, PROCEDURES and DOCUMENTS
A Checklist for Providers

Every organization will have to develop policies and procedures in the format that works best for its individual needs. Some will prefer a limited number of policies, with each policy addressing many issues. Others will prefer separate, short policies addressing only one issue each. The following checklist serves to summarize one way that an organization may address the HIPAA requirements for policies, procedures and documents.

____General Privacy Statement and Issues – A general policy may be a good place
to put such issues as:
          � Statement of organization’s privacy principles
          � Overview of types of permission needed for use and disclosure of PHI (164.502)
          � Required disclosures (164.502)
          � Handling of PHI of deceased individuals (164.502)
          � Handling of personal representatives (164.502)
          � Privacy official (164.530)
          � No retaliation for pursuing privacy rights or “whistleblowing” (164.530)
          � Mitigation of damages from breach of privacy (164.530)
          � Prohibition on asking patients to waive privacy rights (164.530)

____Minimum Necessary (164.502; 164.514)
____De-Identification (164.502; 164.514)
____Business Associates (164.502; 164.504)
          � Business Associate contract

____Unemancipated minors (164.502)
____Organizational Documentation (164.504)
          � Hybrid organization
          � Affiliated Covered Entity
          � Organized Health Care Arrangement
          � Multiple Covered Functions

____Uses and Disclosures for Treatment, Payment & Health Care Operations (164.506)
____Authorization (164.508)
          � Authorization form

____Research (164.508)
____Marketing (164.508)
____Opportunity to Agree or Object (164.510)
          � Facility directory
          � Persons involved in care or payment
          � Disaster relief

____Public Policy Disclosures (164.512)
____Limited data set (164.514)
____Verification of Identity and Authority (164.514)
____Fundraising (164.514)
____Notice of Privacy Practices (164.520)
          � Notice

____Request for Restrictions on Uses and Disclosures (164.522)
____Requests for Confidential Communications (164.522)
____Patient Access to Records (164.524)
____Amendment of Patient Records (164.526)
____Accounting of Disclosures (164.528)
          � Accounting form

____Complaint Process (164.530)
____Training (164.530)
____Safeguards (164.530)
____Discipline/Sanctions (164.530)
____Document Retention (164.530)

THIS DOCUMENT SHOULD BE CONSIDERED ONE EXAMPLE OF HOW AN ORGANIZATION CAN START. THIS DOCUMENT IS PROVIDED AS GENERAL GUIDANCE AND DOES NOT CONSTITUTE LEGAL ADVICE. 
(Documented provided to MIEC policyholders with permission from
Physician Insurers Association of America)

Return to MIEC HIPAA "Starter Kit"