Key Takeaways
A HIPAA privacy policy is a written policy document that translates 45 CFR Part 164 privacy requirements into operational rules for your practice.
The policy must cover PHI collection, use, disclosure, patient rights, BAA requirements, breach notification procedures, and workforce training.
Your policy differs from a Notice of Privacy Practices, or NPP. The NPP is external-facing, while your privacy policy is internal governance.
Practice management software like Pabau helps enforce privacy standards through digital forms and client-portal controls that limit PHI access and automate documentation.
Download your free HIPAA privacy policy template
A comprehensive privacy policy template designed for covered entities and business associates. Covers PHI protection, patient rights disclosure, use and disclosure authorization, business associate governance, breach notification timelines, and workforce training requirements under 45 CFR Part 164.
Download templateMost healthcare practices don’t realize their HIPAA privacy policy and their Notice of Privacy Practices serve completely different purposes. The privacy policy is your internal governance document. It tells staff how to handle protected health information.
The Notice is what patients sign to confirm they’ve been informed of their rights. Without a clear, documented HIPAA privacy policy, your practice risks OCR enforcement action, eroded patient trust, and failed compliance audits.
This guide explains what goes into a HIPAA privacy policy, walks you through HIPAA compliance workflows, shows you how to customize a template for your specific practice, and covers the annual review process. We’ve also included a free, downloadable HIPAA privacy policy template above, ready to adapt for your practice, medical office, or med spa. Related intake resources, like our Kinsey scale template, follow the same customization approach.
What is a HIPAA privacy policy?
A HIPAA privacy policy is a written internal document that outlines how your covered entity or business associate collects, uses, discloses, and protects patients’ protected health information (PHI) in compliance with 45 CFR Parts 160 and 164. It translates the dense regulatory language of the Privacy Rule into practical operational procedures your workforce follows every day.
Under the Privacy Rule, every covered entity must implement written policies and procedures addressing:
- How PHI will be collected, stored, and accessed
- Permitted uses and disclosures without patient authorization (e.g. treatment, payment, healthcare operations)
- Patient rights to access, amend, and receive an accounting of disclosures
- Breach notification procedures and timelines (60 days to notify affected individuals)
- Workforce training requirements and sanctions for non-compliance
- Business Associate Agreements (BAAs) and vendor governance
The Privacy Rule always permits PHI use for treatment, payment, and healthcare operations. Separately, it permits PHI disclosure without patient authorization for 12 national priority purposes, including public health activities, law enforcement requests, and research under an Institutional Review Board. Your privacy policy must document each of these permitted uses as they apply to your practice. For uses outside these categories, your practice needs a signed HIPAA authorization form.
Unlike the Notice of Privacy Practices (which patients receive), your privacy policy is a governance document. It’s audited by OCR, referenced during compliance assessments, and used to train staff on their obligations under law.
How to use the HIPAA privacy policy template
The template provided above covers the core requirements of 45 CFR 164.530(i). Customizing it for your practice takes five straightforward steps.
- Identify your practice type and covered entity status. Are you a healthcare provider, health plan, or healthcare clearinghouse? Insert your organization’s legal name, contact details, and Privacy Officer designation in the header section. The Privacy Officer holds responsibility for policy enforcement and breach investigation. Name a specific individual or department for this role.
- Document your permitted uses of PHI. List the specific clinical, administrative, and operational purposes your practice uses PHI for. If you conduct clinical research, list the IRB protocols. If you share records with other practices for treatment, name those arrangements. The template includes placeholder language for treatment, payment, and healthcare operations. Edit this language to match your practice’s workflows.
- Disclose your business associate relationships. List every vendor, contractor, or partner who handles PHI on your behalf (billing services, cloud EMR providers, transcription services, marketing platforms). If you use scheduling software or telehealth platforms, confirm those vendors have signed BAAs too. The template includes a Business Associate Governance section. Populate it with your vendor list and attest to BAA execution.
- Define your breach notification procedures. The template includes a 60-day notification timeline (required by the Breach Notification Rule). Add your internal breach response team, incident log template location, and communication templates for notifying affected individuals. If your practice uses HIPAA compliance software with audit trails and access controls, reference those systems as your breach prevention safeguards.
- Establish workforce training schedules. Document when staff receive initial HIPAA training (typically at hire), annual refresher training topics, and consequences for policy violations. The template includes sample sanctions. Adapt these to your practice’s disciplinary structure. Reference digital intake forms and secure patient portals as training topics for staff handling PHI through technology.
After customizing, circulate the policy to your Privacy Officer, compliance officer (if you have one), and your legal counsel for final sign-off. Schedule an annual review each January, or sooner if your practice structure, vendors, or PHI handling procedures change significantly.
HHS published updated model notices in February 2026. Check for any updates to disclosure language that affect your internal policy.
Turn HIPAA Policy Into Operational Reality
See how Pabau's compliance management tools, digital forms, and audit trails help practices enforce privacy standards and document workforce training.
Who is the HIPAA privacy policy helpful for?
Any covered entity under HIPAA must have a written privacy policy. This includes healthcare providers (MDs, DOs, therapists, chiropractors), health plans (insurance companies, HMOs), and healthcare clearinghouses. Business associates (billing services, cloud EMR vendors, transcriptionists) must also implement policies aligned with their BAAs.
Healthcare practices most frequently need custom policies:
- Mental health practices, therapy practices, and psychiatry offices — handling sensitive behavioral health records
- Med spas and aesthetic practices — documenting consent, before-and-after photo governance, and the requirements in our medical spa compliance checklist
- Medical offices and primary care practices — multi-provider workflows requiring vendor coordination
- Multi-location practices — central policy covering all locations with decentralized Privacy Officer roles
- Small independent practices going paperless — needing documented workflows for digital form submission and patient portal access
Even if you contract your billing to a third party or use a cloud EMR, you, the covered entity, retain responsibility for enforcing HIPAA. A clear privacy policy ensures every staff member knows their obligations and PHI stays protected throughout its lifecycle. For broader guidance on securing digital records, see our EHR security guide.
Benefits of using a HIPAA privacy policy
Regulatory compliance and audit readiness. OCR’s audit findings often cite missing or outdated privacy policies. A documented policy directly addresses 45 CFR 164.530(i) and demonstrates good-faith compliance effort. That matters if OCR ever investigates a breach or patient complaint.
Workforce accountability. When staff sign a privacy policy, they acknowledge their training and understand consequences for violations. This creates a culture of privacy consciousness and reduces accidental disclosures. Documented training records also satisfy HIPAA’s workforce training requirement. If you can show annual training logs linked to your policy, you’ve met the standard.
Vendor governance clarity. A policy that lists all BAAs and vendor responsibilities helps you spot missing agreements when staff onboard new contractors. You’ll know exactly which vendors have signed agreements and which ones still need them, reducing the risk of unauthorized PHI handling by business associates.
Breach response protocols. If a breach occurs, you need an immediate, documented response. A privacy policy that includes breach notification procedures, escalation paths, and communication templates lets you act fast and notify affected individuals within the 60-day window required by the Breach Notification Rule, avoiding OCR penalties.
Patient trust and transparency. Patients increasingly expect healthcare organizations to take privacy seriously. A clear Notice of Privacy Practices, linked to and informed by your internal privacy policy, signals genuine commitment to their information security rather than a box-ticking exercise. That commitment should extend to social media, where PHI can leak just as easily as anywhere else.
Pro Tip
Don’t confuse your internal HIPAA privacy policy with the Notice of Privacy Practices patients sign. Your privacy policy governs staff conduct and internal safeguards under 45 CFR 164.530. The NPP is a patient-facing document explaining their rights and your practices. These are two separate requirements under HIPAA. Update both if your PHI handling changes.
Business associate agreements and vendor governance
Every vendor, contractor, or partner who handles PHI on behalf of your practice is a business associate under HIPAA. This includes your billing service, cloud EMR provider, transcription vendor, marketing platform or HIPAA compliant CRM, and even your accountant if they see financial details tied to patient names. Each must sign a Business Associate Agreement (BAA) before handling any PHI.
Your HIPAA privacy policy should document your vendor governance process. List the criteria you use to vet new vendors: Do they have HIPAA-compliant infrastructure? Do they subcontract with other vendors who also need BAAs? What is your incident response SLA if they have a breach?
A sample vendor evaluation checklist appears in the template. Reference compliance management tools that track BAA execution dates and keep BAAs accessible during audits.
PHI covers more than names and insurance numbers. It includes every diagnostic and procedure code tied to a patient’s chart, whether that’s M94.9 or CPT 99100.

Important: AI tools and generative AI vendors are increasingly becoming business associates. If your practice uses AI-powered dictation, note-generation software, or data analysis platforms, ensure they have signed BAAs covering PHI use. The same scrutiny applies to telehealth platforms. The regulatory landscape around AI and HIPAA is evolving, and your privacy policy should flag both as vendor risks requiring ongoing review.
Annual policy review and breach notification procedures
Treat your privacy policy like any regulatory document. Review it at least annually, or sooner if your practice changes. Common triggers for updates include:
- Hiring a new Privacy Officer
- Onboarding a new vendor
- Launching a new service line
- Moving to a new EMR system
- Spotting a missing safeguard during internal audits
Set a calendar reminder for January each year to schedule a privacy policy review meeting with your Privacy Officer and compliance team. Document the date, any changes made, and sign-off. This audit trail shows OCR that privacy governance stays active and responsive year-round.
Your policy must include clear breach notification procedures. If you discover PHI has been accessed, used, or disclosed without authorization, the Breach Notification Rule requires you to notify affected individuals within 60 days.
Your privacy policy should name the breach response team, define what constitutes a reportable breach versus a minor slip that poses low risk, and outline communication templates. Many OCR enforcement actions stem from delayed or absent breach notifications, so a documented process helps you avoid missing the deadline.
Keeping your HIPAA privacy policy audit-ready
A written HIPAA privacy policy transforms abstract regulatory language into workflows your practice can actually follow. It protects PHI by documenting when and how staff can access it, clarifies vendor relationships through BAA tracking, and creates a response protocol if a breach occurs.
Without a policy, you’re exposing your practice to OCR findings, patient trust erosion, and potential civil penalties.
Use the free template above to build your policy. Customize it for your specific patient population, vendor relationships, and workforce structure. Then commit to an annual review cycle.
Your Privacy Officer, compliance team, and every staff member who touches PHI will have a clear, documented standard to follow, and you’ll have evidence of good-faith compliance if OCR ever calls. Pabau helps practices document and enforce privacy policies with built-in compliance tools and audit trails. Schedule a demo to see it in action.
Continue your research
How should your staff handle patient requests to see their own records? medical office HIPAA compliance covers the patient access rights your policy must enforce, including response timelines and fees.
Does your practice know the warning signs of a HIPAA breach? med spa HIPAA requirements includes breach identification scenarios so you can act quickly.
Are you tracking which staff have completed annual HIPAA training? Compliance management software automates training tracking and breach logging so your policy enforcement is documented and audit-ready.
Frequently asked questions
A HIPAA privacy policy is a written internal document that outlines how your covered entity collects, uses, discloses, and protects protected health information (PHI) in compliance with 45 CFR Part 164. It documents your workforce’s responsibilities and safeguards for patient data.
Your privacy policy is internal governance. It tells staff how to handle PHI. The Notice of Privacy Practices is external-facing. It informs patients of their rights and your practices. Both are required under HIPAA, but they serve different audiences.
Review your policy at least annually, or immediately if your practice structure, vendors, services, or PHI handling procedures change. Document the review date and any updates, then circulate to staff and obtain sign-off from your Privacy Officer.
Missing a documented privacy policy violates 45 CFR 164.530(i). OCR can impose civil monetary penalties that scale by culpability tier and are adjusted annually for inflation, currently reaching well over $2 million per violation category at the top tier. A breach without a documented policy in place typically results in higher enforcement action and damages your credibility in court if a patient sues.
You may use one central policy covering all locations, but assign location-specific Privacy Officer roles and document how each location follows shared procedures. Some practices include location-specific appendices if workflows differ (e.g. a mental health practice versus a med spa under the same parent company).