Version 1/FINAL: 12/09/12
HIPAA COW
PRIVACY, SECURITY, & RISK MANAGEMENT NETWORKING GROUPS
EXAMPLE POLICY AND PROCEDURE TEMPLATE
Disclaimer
This Example Policy and Procedure Template is Copyright  by the HIPAA Collaborative of
Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this
copyright notice is not removed. When information from this document is used, HIPAA COW
shall be referenced as a resource. It may not be sold for profit or used in commercial documents
without the written permission of the copyright holder. This Example Policy and Procedure
Template is provided “as is” without any express or implied warranty. This Example Policy and
Procedure Template is for educational purposes only and does not constitute legal advice. If you
require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW
has not addressed all state pre-emption issues related to this Example Policy and Procedure
Template. Therefore, this document may need to be modified in order to comply with
Wisconsin/State law.
Important Notes: This example policy and procedure (P&P) template was developed to assist
organizations to create a P&P template for their own organizations. It may be useful for
organizations to utilize this document to create their own P&P template for all P&Ps they write.
There are currently not any HIPAA or other known Federal or State regulations that require any
particular sections or elements to be included in P&Ps. As the content of every P&P is
inherently different, each different “section” included in this example P&P template may not be
needed in every P&P. If a particular “section” is not needed for a P&P, remove it.
Recommendations about how to write P&Ps which may be helpful to you were provided at two
HIPAA COW Conferences (September 2007 and April 2005). [Remove the brackets and
italicized tips within them]. Include simple and short sentences in P&Ps. Use common words
that everyone understands. It is recommended that you maintain a list of P&Ps with effective
dates, previous version dates, and end dates for P&Ps no longer in place. Consider writing a
“policy on P&Ps”, describing the format to use, frequency to review and revise them, how to
maintain them, etc.
Current Version: 11/27/12
Prepared by:
Reviewed by:
Holly Schlenvogt, MSH, CPM Nancy Davis, MS, RHIA
HRT Consulting, LLC
Ministry Health Care
Content Changed:
N/A – this is the first version
Chrisann Lemery, MS, RHIA,
FAHIMA
WEA Trust
© Copyright HIPAA COW
Page 1 of 5
Version 1/FINAL: 12/09/12
Organization Name
Policy and Procedure Name
Table of Contents [If a P&P is more than 4-5 pages long, consider including one]
Policy .............................................................................................................................................. 2
Purpose............................................................................................................................................ 2
Applicable To.................................................................................................................................. 2
Scope ............................................................................................................................................... 3
Procedure ........................................................................................................................................ 3
Responsible for Implementation ..................................................................................................... 3
Attachments .................................................................................................................................... 3
Related P&Ps, Position Statements, or Other Documents .............................................................. 3
Definitions....................................................................................................................................... 3
Resources ........................................................................................................................................ 3
Applicable Standards/Regulations .................................................................................................. 4
Version History ............................................................................................................................... 4
Attachment 1 ................................................................................................................................... 5
Policy Number [if applicable]:
Policy [What the organization wants done. The goal or position of the organization. Address
legal and organizational requirements. ]
1.
A.
i.
a.
i.
2.
Purpose [Why the organization wants it done. The reason for this P&P; why it is in place.
Examples: “To establish guidelines for…” “To help ensure that adequate privacy and security
safeguards are in place, [ORGANIZATION]…” “To comply with HIPAA Privacy and Security
regulations” “To provide directions on…” ]
1.
A.
i.
a.
i.
2.
Applicable To [List department(s) and/or roles required to follow this P&P]
1.
2.
Violation of this policy and its procedures by workforce members may result in corrective
disciplinary action, up to and including termination of employment. Violation of this policy and
© Copyright HIPAA COW
Page 2 of 5
Version 1/FINAL: 12/09/12
procedures by others, including providers, providers' offices, business associates and partners
may result in termination of the relationship and/or associated privileges. Violation may also
result in civil and criminal penalties as determined by federal and state laws and regulations.
Scope [Broad general statements outlining to whom or in which situations the procedure
applies, such as applicable organizations, regions, departments, etc.]
1.
A.
2.
Procedure [How to do it; how to meet the Policy requirements and goals of the P&P.]
1.
A.
i.
a.
i.
2.
Responsible for Implementation: [List position title(s) and/or department(s) responsible for
implementing and overseeing this P&P. Examples may include the Privacy Officer, Security
Officer, Risk Management Team, etc.]
Attachments [Include the Title of each attachment. Attachments may include a checklist,
training tool, examples, flowchart, etc. Reference attachments in the P&P. If there are multiple
attachments, list as “Attachment A,” “Attachment B,” etc.]
1.
2.
Related P&Ps, Position Statements, or Other Documents [Insert the Title and date (e.g.
“Sanctions Policy”). If there are multiple attachments, list as “Attachment A,” “Attachment B,”
etc.]
1.
2.
Definitions [List alphabetically in the format noted below. Include definitions for important
legal and technical terms. Consider “Capitalizing” definitions throughout the P&P]
1. Word. Definition of the word.
2.
Resources [List resources used to write the P&P. Include the document name and date
“published”, and author if known, similar to those listed below that were used to write this P&P
Template document]
1. 2008 WHIMA Policy Template
2. 2010 Ministry Health Care Enterprise Policy Template
3. 2007 Writing Effective HIPAA Privacy and Security Policies and Procedures HIPAA COW
presentation, Catherine Boerner
© Copyright HIPAA COW
Page 3 of 5
Version 1/FINAL: 12/09/12
4. 2005 Policy & Procedure Writing HIPAA COW presentation, Holly Schlenvogt
Applicable Standards/Regulations [List those applicable to this P&P. May include HIPAA
regulations, State laws, Joint Commission, etc.]
1.
2.
Consulted With [list internal and external resources utilized to complete this policy]
For More Information Contact [list title of position responsible for creation and maintenance
of policy – resource for questions]
Responsible Senior Leader [list title of leader responsible for oversight of operations covered
by policy/sponsor of policy; can be responsible for approval of policy as well]
Version History [Include each revision date. Reviewers are typically individuals with authority
over the P&P. Consider including version numbers.]
Effective
Version # Date:
1
xx/xx/xx
© Copyright HIPAA COW
Author(s)/Editor(s):
<Name>
Reviewer(s)/
Approved By:
<Name>
Signature line [remove if
signed electronically]
Page 4 of 5
Version 1/FINAL: 12/09/12
Attachment 1
Title of Attachment
© Copyright HIPAA COW
Page 5 of 5