This is a sample of one way to group the HIPAA issues that should be addressed in policies and procedures. The numbers in parentheses refer to the relevant sections of the Privacy regulation.

General Privacy Statement and Issues -- A general policy may be a good place to put such issues as:

• Statement of organization's privacy principles
• Overview of types of permission needed for use and disclosure of PHI (164.502)
• Required disclosures (164.502)
• Handling of PHI of deceased individuals (164.502)
• Handling of personal representatives (164.502)
• Privacy official (164.530)
• No retaliation for pursuing privacy rights or whistle blowing (164.530)
• Mitigation of damages from breach of privacy (164.530)
• Prohibition on asking patients to waive privacy rights (164.530)

Minimum Necessary Use and Disclosure (164.502; 164.514)
De-Identification of Protected Health Information (164.502; 164.514)
Business Associates (164.502; 164.504)

• Business Associate contract

Unemancipated minors (164.502)
Organizational Documentation (164.504)

• Hybrid organization
• Affiliated Covered Entity
• Organized Health Care Arrangement
• Multiple Covered Functions

Uses and Disclosures for Treatment, Payment & Health Care Operations (164.506)
Authorization (164.508)

• Authorization form

Research (164.508)
Marketing (164.508)
Opportunity to Agree or Object (164.510)

• Facility directory
• Persons involved in care or payment
• Disaster relief

Public Policy Disclosures (164.512)
Limited data set (164.514)
Verification of Identity and Authority (164.514)
Fundraising (164.514)
Notice of Privacy Practices (164.520)

• Notice

Request for Restrictions on Uses and Disclosures (164.522)
Requests for Confidential Communications (164.522)
Patient Access to Records (164.524)
Amendment of Patient Records (164.526)
Accounting of Disclosures (164.528)

• Accounting form

Complaint Process (164.530)
Training (164.530)
Safeguards (164.530)
Discipline/Sanctions (164.530)
Document Retention (164.530)