The No-Hassle Guide to HIPAA Policies, Second Edition

Bookmark and Share

The No-Hassle Guide to HIPAA Policies, Second Edition

Product Code: NHGHP2

Availability: In stock

Your Price:
Add Items to Cart

The No-Hassle Guide to HIPAA Policies, Second Edition

The No-Hassle Guide to HIPAA Policies: A Privacy and Security Toolkit, Second Edition, is a clear, comprehensive, and user-friendly resource with 40 sample policies and 21 sample forms to help ensure HIPAA compliance.

Covered entities and their business associates can customize the sample forms and policies to meet the needs of their organizations and satisfy longstanding HIPAA requirements and new Omnibus Rule requirements.  The sample forms and policies are also available in the online Appendix to facilitate use and customization.


Revisions in this edition that pertain to the Omnibus Rule apply to the following privacy rights and organizational responsibilities:

  • Privacy and security incident response
  • BA contracts
  • Uses and disclosures of protected health information (PHI) for fundraising
  • Uses and disclosures of PHI for marketing and sale
  • Right to inspect, copy, and request transmittal of one’s PHI
  • Right to request restrictions on one’s PHI
  • Notice of privacy practices
  • Updated policies and forms


The HIPAA Omnibus Rule (enforceable September 23, 2013) made significant changes to the healthcare landscape by expanding patient privacy rights and organizations’ obligations. This set of revised privacy and security policies and forms will help covered entities and business associates (BA) develop clearly written policies and associated procedures that describe the rules by which the workforce operates. This helps ensure consistency in how work processes are performed and establishes expectations for workforce conduct.




  • Terms
  • All About Policies
  • What Are HIPAA Policies?
  • How to Use This Book

Section I: Where Privacy and Security Intersect

  • Roles and Responsibilities
  • Combined Privacy and Security  Policies

Section II: Privacy

  • Other Regulations
  • Forms
  • Covered Entity Use and Disclosure of PHI
  • Individual Privacy Rights Concerning PHI

Section III: Security

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards


Glossary of HIPAA Terms

  • Business associate (BA) 45 CFR 160.103
  • Covered entity (CE) 45 CFR 160.103
  • Designated record set (DRS) 45 CFR 164.501
  • Disclosure 45 CFR 160.103
  • Genetic information 45 CFR 160.103
  • Healthcare operations 45 CFR 164.501
  • Individually identifiable health information 45 CFR 160.103
  • Marketing 45 CFR 164.501
  • Payment 45 CFR 164.501
  • Protected health information (PHI) 45 CFR 160.103
  • Psychotherapy notes 45 CFR 164.501
  • Research 45 CFR 164.501
  • Treatment 45 CFR 164.501
  • Use 45 CFR 160.103
  • Workforce 45 CFR 160.103


Policies and forms are also available in the online Appendix to facilitate customization and use at your organization.


  • Designation of Privacy Officer
  • Information Security Program Governance
  • Information Asset Protection Responsibility
  • Sanctions for Privacy and Security Violations
  • Confidential Data Protections
  • Privacy and Security Incident Response and Breach Notification
  • Minimum Necessary Access and Disclosure
  • Document Retention
  • Managing Business Associates
  • Uses and Disclosure of PHI for Treatment, Payment, and Healthcare Operations
  • Uses and Disclosures of PHI Not Requiring Permission or Opportunity to Agree or Object
  • Uses and Disclosures of PHI for Research
  • Uses and Disclosures for PHI for Care Involvement and for Notification
  • Uses and Disclosures of PHI in Facility Directories
  • Uses and Disclosures of PHI for Fundraising
  • Use and Disclosure of PHI in Limited Data Sets
  • Use and Disclosure of De-Identified Information
  • Uses and Disclosures of PHI Requiring Authorization
  • Privacy Notice Content and Delivery
  • Right to Inspect, Copy, and Request Transmittal of One’s PHI
  • Right to Request Amendment of One’s PHI
  • Right to Request Restrictions on One’s PHI
  • Right to Accounting of Disclosures of One’s PHI
  • Right to Receive Confidential Communications
  • Information Security Management Program
  • Information Security Classification
  • Information System Activity Review
  • Supervision of Unauthorized Individuals
  • Computer Security Contingency Plan
  • Regulatory Compliance Auditing of Computer Security
  • Facility Security
  • Walk-Around Security Reviews
  • Review of Security-Related Facilities Work
  • Acceptable Computer Use
  • Security of Portable Computers and Media
  • Off-Site Work Security
  • Encryption of Confidential Data Over the Internet and Wireless Networks
  • Disposal of Confidential Information
  • Electronic Mail Use
  • Firewall Management


  • Chief Privacy Officer Job Description
  • Chief Information Security Officer Job Description
  • Confidentiality Acknowledgment
  • Request for Waiver of Authorization for Research
  • Directory Preferences
  • Authorization for Use or Release of Your Health Information
  • Privacy Notice
  • Privacy Notice—Acknowledgment of Receipt
  • Request to Review, Obtain a Copy, or Send a Copy of My Health Records
  • Denial (and Review of Denial) of Patient Access to Health Records
  • Denial of Request to Review or Obtain a Copy of Your Health Records
  • Request for Amendment of Your Health Information
  • Request for Restriction on Use or Disclosure of Health Information
  • Request for Accounting of Disclosures of My Health Information
  • Request for Confidential Communications
  • Access Termination Checklist
  • Authorizer Form
  • Request for Access to the EMR System
  • Walk-Around Security Audit
  • Working Off-Site Security Agreement
  • Integrity of PHI at ABC Organization


This book is a valuable resource for the following covered entity and business associate staff members:

  • Chief information officers
  • Compliance officers
  • Healthcare officers charged with HIPAA compliance
  • HIM directors
  • Information technology managers
  • Information security officers
  • Privacy officers
  • Privacy officials
  • Risk managers
  • Security officers


Kate Borten, CISSP, CISM, president of The Marblehead Group, offers a unique blend of technical and management expertise, information security and privacy knowledge, and an insider’s understanding of the healthcare industry. Her company, founded in 1999, serves the full spectrum of healthcare covered entities and their business associates with respect to understanding privacy and security regulations, establishing and enhancing formal privacy and security programs, and assessing risk and regulatory compliance. Borten has more than 20 years of experience designing, implementing, and integrating healthcare information systems at world-renowned medical facilities, including Massachusetts General Hospital.

Published: March 2014