Benefits Compliance

Privacy Policies and Procedures


Generally, HIPAA-covered entities must implement policies and procedures in connection with protected health information (PHI) that are designed to comply with HIPAA's privacy rule requirements. Covered entities are free to design their privacy policies and procedures as they see fit, so long as certain content requirements are met. Along those lines, the written policies and procedures requirement is intended to facilitate workforce training and creation of the covered entity's notice of privacy practices, to enhance accountability with the privacy rule and to help ensure consistency in decisions relating to individuals' privacy rights.

With respect to responsibility for drafting and implementing HIPAA policies and procedures, for both self-insured and fully insured plans, the plan sponsor (generally the employer) is responsible for the plan's compliance with the written policies and procedures requirement. However, a group health plan is not subject to the privacy policies and procedures requirement if the group health plan is fully insured and does not create or receive PHI except for summary health information and enrollment information. This is commonly referred to as a fully insured “hands-off” plan.

Before implementing HIPAA policies and procedures, a covered entity must designate a privacy official and a privacy contact person or office. The privacy official is responsible for the development and implementation of the entity's privacy policies and procedures. The privacy official may be an additional responsibility given to an existing employee or may be a newly created position. The privacy contact person or office is responsible for receiving complaints and providing additional information about the plan's privacy practices and procedures.

Once a privacy official has been designated, the official can proceed in developing and implementing the entity's privacy policies and procedures. Importantly, the policies and procedures must be written, and must include:

  • A definition of PHI
  • Permitted uses and disclosures of PHI
  • Any authorization requirements for other uses and disclosures
  • Sanctions for violations of the covered entity's policies and procedures
  • Privacy safeguards
  • Complaints procedures
  • Prohibition of retaliation and waiver of right
  • Record retention
  • Data backup plan
  • Disaster recovery plan

Importantly, the policies and procedures should be reasonably designed to ensure compliance with the privacy rule, taking into account the size of the covered entity and the types of activities relating to PHI that the covered entity undertakes.

Covered entities must also document and implement changes to policies and procedures as necessary or appropriate to comply with changes in the law and regulations. Importantly, covered entities must revise their policies and procedures, if they have not already, to reflect changes required under the Health Information Technology for Economic and Clinical Health Act (commonly known as the HITECH Act).

Because covered entities may implement different policies and practices, there is no model HIPAA privacy policy and procedures document available. Covered entities in need of assistance in drafting their privacy policies and procedures should engage outside counsel.

Recent Developments

On Sept. 16, 2013, HHS issued a model Notice of Privacy Practices. This is welcome news for employer sponsors of group health plans. For over 10 years, HIPAA has required covered entities (including group health plans) to create and distribute a Notice of Privacy Practices communicating the entity’s policies and procedures related to privacy, use and disclosure of protected health information (PHI), safeguards to protect PHI, the entity’s responsibilities and the individual’s rights. This, however, is the first time that a model notice has been provided.

The model notice is provided in three different formats: a booklet style, layered notice and text-only version. A plan sponsor may use whichever best suits their needs. The language provided should be used as a baseline and customized to reflect the plan’s specific policies and contact information. Instructions for creating the plan’s notice are also provided.

Fully insured plans that are provided through an insurance contract and that do not maintain or receive PHI outside enrollment or summary health information (“hands-off” employer) are exempt from many of the HIPAA privacy requirements, including the Notice of Privacy Practices. The insurance carrier issuing the policy is responsible for creating and distributing the notice to participants, although such employers should be aware of the requirement and work closely with insurers to understand the privacy practices of the insurer.

Employer Action Required

Employers sponsoring group health plans will generally need to comply with the written privacy policies and procedures requirement. Employers should select a privacy official to design and implement the plan's privacy policies and procedures. The policies and procedures should reflect all of the required content, as outlined above.

That said, fully insured hands-off group health plans (i.e., fully insured plans that do not create or receive PHI other than summary health information and enrollment information) are not required to comply with the written privacy policies and procedures requirement.

Penalties for Nomcompliance

Covered entities that fail to properly implement HIPAA privacy policies and procedures may be subject to civil penalties from $100 to $50,000 per violation. In certain circumstances, criminal penalties may also apply, including a fine of up to $250,000 and imprisonment for up to 10 years.

Frequently Asked Questions

Q1. What is the difference between the Privacy Practices and Procedures requirement and the Notice of Privacy Practices requirement?
A. The two requirements serve different purposes and must meet different requirements. Although a covered entity's policies and procedures and its Notice of Privacy Practices somewhat overlap, the policies and procedures should contain a detailed description of all of the entity's privacy practices. In addition, the policies and procedures should provide guidance for the members of the covered entity's workforce who deal with PHI and have responsibility for privacy compliance. On the other hand, the Notice of Privacy Practices is meant to notify participants of the covered entity's practices.

Q2. Is there any difference in meeting the written privacy policies and procedures requirement for smaller versus larger employers?
A. While the requirements remain the same for all size employers, the U.S. Department of Health and Human Services has stated that covered entities that employ more individuals and are involved in a wider array of endeavors are likely to require more specific policies. In addition, the requirements of the policies and procedures rule are flexible so that smaller covered entities need not follow detailed rules that might be appropriate for larger entities with complex information systems. Because of the variance of policies and procedures between different size and types of covered entities, it is important to engage outside counsel in drafting the written privacy policies and procedures.

Additional Resources


  • 45 CFR Section 164

The above links are provided for your information only. NFP does not endorse, nor accept any responsibility for the content, products and/or services provided at non-NFP sites. Some information contained in the NFP site is provided by third parties. We do not independently verify this information, nor do we guarantee its accuracy or completeness. Information provided from governmental agencies is subject to change.

Page last reviewed or updated April 2014.

This material was created by NFP, its subsidiaries, or affiliates for distribution by their Registered Representatives, Investment Advisor Representatives, and/or Agents. This material was created to provide accurate and reliable information on the subjects covered. It is not intended to provide specific legal, tax or other professional advice. The services of an appropriate professional should be sought regarding your individual situation. Neither NFP Securities, Inc. nor NFP Benefits offer legal or tax services.

Securities offered through Registered Representatives of NFP Securities, Inc., a Broker/Dealer and Member FINRA/SIPC. Investment Advisory Services offered through Investment Advisory Representatives of NFP Securities, Inc. a Federally Registered Investment Adviser. NFP Benefits Partners is a division of NFP Insurance Services, Inc., which is a subsidiary of National Financial Partners Corp, the parent company of NFP Securities, Inc. NFP Securities, Inc. is not affiliated with any other entities listed on this document.

Not all of the individuals using this material are registered to offer Securities or Investment Advisory services through NFP Securities, Inc.