HIPAA Privacy Rule Checklist

HSG-HIPAA-Privacy-Rule-Checklist Digital Download Add to Cart$229.95

Omnibus Rule Ready

Our HIPAA Privacy Rule Checklist ("Checklist") is intended to deliver guidance, including suggested policies, processes, and tracking mechanisms that will allow you to make sense out of this new terrain. It is intended as a knowledge transfer vehicle that allows you to derive the HIPAA Privacy Rule compliance solution that works best within your organization. Our Checklist will “walk you through” the relevant statutory/regulatory sections of the HIPAA Privacy Rule, highlighting the policies, processes and tracking mechanisms required at a granular level.

Our Checklist is comprised of Checklist Items that have the following components:

1) a policy statement that reflects an organization's intentions:  the what;

2) a definition of a process by which the policy is implemented:  the how; and

3) suggested tracking mechanism(s) for capturing process results:  the measurement.

What is a Policy?

 The word “policy” can be used in so many ways that it bears some exploration, especially for our purposes (i.e. as it pertains to HIPAA regulatory compliance). We often talk of “developing a policy,” or of “implementing a policy” or of “carrying out a policy.” For example, 45 CFR §164.530 (i) states as follows:

Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part.

Notice that a distinction is made between policies versus procedures. In general, we can think of a “policy” as a purposeful set of decisions or actions usually in response to a problem that has arisen. From a compliance perspective, a policy is a set of statements, including decisions and actions, regarding what an organization intends to do with respect to meeting its regulatory requirements (e.g. see our Breach Notification Policy). A policy indicates what an organization intends to do and is often also used as a communications vehicle of said intent.

Our Checklist contains a HITECH compliant Privacy Policy that can be used out-of-the-box or customized to meet your organization's specific requirements. However, our Checklist contains much more than mere policy statements. A policy is a necessary, but insufficient, component of a compliance initiative.

What is a Process?

A process is a repeatable series of steps that must be accomplished over time. From a HIPAA regulatory compliance perspective, processes are how policies get implemented. Policies without processes are nothing more than empty promises and will not prevent serious compliance liability. HHS is going to want to see evidence not only of policies but of processes as well. Every Checklist Item contains process suggestions that will enable you to quickly "stand-up" your Privacy Rule Compliance initiative. 

What is a Tracking Mechanism?

 A tracking mechanism is a way to keep track of process results. For example, QuickBooks is a tracking mechanism for accounting data and processes. You must be able to track the results of your compliance processes if you hope to provide visible demonstrable evidence that you are meeting your regulatory requirements. 

Other components included in our Checklist?



Model HIPAA Privacy Policy

Comprised of the policy statements included in the individual Checklist Items with some global clauses added.

Model Notice of Privacy Practices

This document contains a Model Notice of Privacy Practices (“NOPP”) that is referenced from the Checklist.

Model Restriction Request Form

This document contains a Model Restriction Request Form to be used by patients when they submit PHI restriction requests.

Model Patient Request Log

This document contains a Model Patient Request Log to be used by workforce members for logging patient requests for: 1) restrictions; 2) authorization; 3) PHI Access; etc.

H2 Compliance Scorecard

H2 Compliance Scorecard for the Checklist. The Scorecard can be used as an internal tracking system to log an organization’s Privacy Rule compliance improvement initiative over time.

Customize It!

Our HIPAA Privacy Rule Checklist under HITECH was developed in a manner that lends itself readily to customization in order to meet the unique requirements of Your Organization.


As a Healthcare Technology vendor we found ourselves with little direction attempting to learn and comply with HIPAA and HITECH regulations. The overhead of learning and implementing needed policies and procedures was so detrimental to our internal efficiency and service delivery that we had to discontinue service for a major share of our client base just to concentrate on HIPAA regulations. We have since found the HIPAA Survival Guide and signed up for their Subscription Plan. With the help and guidance provided by HSG, we have now returned our focus to what we do best. In the past 6 months our company has increased knowledge, literature, and direction as well as record revenue by 421%. Thank You HSG, we couldn’t have done it without you!” -Wiles Tech See More Testimonials...