CMA: Privacy Policy

Disclaimer: CMA/PrivaPlan PrivaGuide: Establishing a Privacy Policy

The information provided in this document does not constitute, and is no substitute for, legal or other professional advice. Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns. 

PrivaGuide: Establishing a Privacy Policy

By Lesley Berkeyheiser and David Ginsberg



The HIPAA privacy rule requires that HIPAA covered entities document the policies and procedures that they have adopted in order to meet HIPAA privacy standards and implementation specifications. HIPAA does not dictate which specific policies and procedures must be adopted – this is left to the individual organizations to decide. We recommend that, at a minimum, each organization document its privacy and security policies and procedure. The difference between privacy and security policies is:


PRIVACY POLICY – The privacy policy specifies which practices are allowed and which practices are not allowed with respect to uses and disclosures of protected health information (PHI). The organization’s privacy policy sets bounds on employee activities that relate to the basic privacy rights of patients and health plan members.


SECURITY POLICY – The security policy specifies which practices are allowed and which practices are prohibited with respect to data stored on and transmitted between computers. The organization’s security policy establishes a standard of due care to prevent the accidental exposure of sensitive health information.


The difference between privacy and security.


Privacy is “doing the right things” while security is “doing things right.”


You are doing the right thing if the patient knows what you are doing and agrees to it. For example, you may discuss a patient’s illness with a family member if the patient has given you permission. You may not use a patient’s information in a clinical trial if the patient has not authorized it.


You are doing things right if you are not being careless in your handling of PHI. You may send confidential information to a patient via email, for example, if that email is encrypted. You may not send confidential information to a patient using a post card, because it would be too easy for the information to be read by someone other than the intended recipient. 



Creating Your Privacy Policy


Implementation Suggestion:



You will find a “Privacy Policy Draft” in the Policies and Procedures section. It is called a “draft” rather than a “template” because you need to do more than simply customize a standard form. You must change the sample text in the privacy policy draft to reflect the actual policies of your organization.

Implementation Suggestion:


Start this after you have completed your Notice of Privacy Practices and other forms (and the related PrivaGuides). Your Privacy Policy needs to be consistent with your Notice of Privacy Practices and forms, which cover how your medical practice will protect and disclose PHI, and implement your patients’ rights under HIPAA and California law.

Implementation Suggestion:


Modify the Privacy Policy so it covers:
Your designation of a Privacy Official and a person responsible for receiving complaints (in a small practice, these responsibilities may be handled by a single individual).
Your HIPAA training program for your staff, both initially and ongoing for new staff and for new responsibilities.
Your commitment to appropriate administrative, technical and physical safeguards to protect the privacy of PHI.
Your complaint process, which includes written documentation of all complaints and their disposition.
The sanctions which apply against staff members who violate your privacy policy and procedures or HIPAA requirements.
Your commitment to mitigate the harmful effects of any violations of your privacy policies or procedures or HIPAA requirements by your staff or your business associates.
Your commitment not to intimidate or retaliate against anyone who exercises their rights, files a complaint, participates or otherwise assist in an investigation or reasonably opposes any practice the person believes in good faith to be unlawful under HIPAA.
That you will not require anyone to waive their HIPAA rights as a condition of treatment or payment, except as authorized by HIPAA.
That you have reasonably designed your policies and procedures to comply with HIPAA and California law, taking into account the size of your medical practice, and that you will change your policies and procedures as necessary and appropriate to comply with changes in the law. Further, you may change your policies and procedures, effective with respect to all PHI within the medical practice starting as soon as the revised Notice of Privacy Practices reflecting the change(s) is/are published. Where the change does not materially affect your Notice of Privacy Practices, you may implement the change as soon as this change is documented in the appropriate policy or procedure.
That you will maintain all documentation for at least six (6) years after it was created, or was last in effect, whichever is later.
Compliance with minimum necessary requirements for use, disclosure and requests of PHI.
Your treatment of psychotherapy notes, if applicable.
Your policy to notify employees of disclosures to employers [California limits this to workers’ compensation, OSHA or when an authorization is on file.]
Your policy of notifying victims of abuse, neglect or domestic violence of reports you make to the appropriate public agencies.
Your policy on fundraising if applicable.
Your policy on verification of identity for individuals requesting access to PHI.
Implementation Suggestion:


To modify the Privacy Policy Draft do the following:
Begin with customizing the privacy policy draft. Read the legal disclaimer and customization instructions at the beginning of the document and then delete them. (This information is for your use in customizing the document; it is not intended to be read by your organization’s employees.)
Replace any text in brackets with text that is appropriate to your organization.
Complete any formatting (such as the inclusion of company logos) that is necessary to make this policy document consistent with other documents in your organization.
Next, read the sample text. Each of these sections deals with a basic element of HIPAA privacy protection. To the extent possible, you should reword each section to reflect the specific practices that you have created for your practice. For example, you may decide that certain functions may only be performed by certain personnel or within certain departments or with a certain form of management approval.
Try not to make the policy statement too detailed; remember that the details will be spelled out in the various procedures that are designed to implement the policy.
When you are finished customizing the sample text, you may want to consider other privacy-related rules that your organization wishes to establish, even if they are not strictly required by HIPAA. For example, you may wish to set a shorter required response time for amendment requests. These items should be added to the privacy policy document.
Where appropriate, you may wish to include sanctions provisions. Sanctions are the disciplinary measures that will occur in the event of careless disregard or deliberate violation of any of these rules. Alternatively, you could keep the documentation of sanctions in a separate sanctions policy.
As a final step to crafting your organization’s privacy policy, make sure the appropriate management personnel have reviewed the document and agreed that it is in its final form. Remember that this is an expression of the rules of conduct to be followed by all members of your organization and that there are serious consequences for those who break the rules.

About the Authors: 


This PrivaGuide has been greatly improved and customized by the California Medical Association. Specifically, the work of Catherine Hanson, Vice President and General Counsel of the CMA and Steve Fleisher, Esq. of Fleisher and Associates.



Lesley Berkeyheiser


Ms. Berkeyheiser has over twenty years experience in the healthcare industry, most of it involving managed care, including direction and management of healthcare operations at various renowned health plans. She is Principal and founder of The Clayton Group, LLC, an independent consulting company specializing in healthcare issues including Health Insurance Portability and Accountability Act of 1996 (HIPAA) preparation work, business development and technology.   She either has created and/or maintains ownership in various HIPAA remediation products, including HIPAA training products, (PrivaPlanED), Gap Analysis (PrivaPlan), and HIPAA Policies and Procedures (Clayton MacBain HIPAA Templates) and actively participates as Co-Chair for Security and Privacy, and was past Leader of the Vendor Technologies Interdependencies subgroup of the workgroup for Electronic Data Interchange Strategic National Implementation Process (WEDi SNIP). This gives her an extensive and current knowledge of HIPAA remediation solutions.


Ms. Berkeyheiser can be contacted at The Clayton Group, 53 Bethel Road, Glen Mills, PA 19342.  Telephone: (610)-558-3332.  Email:



David Ginsberg


Mr. Ginsberg is President of PrivaPlan Associates, Inc. and is one of the founders.


David Ginsberg is a healthcare consultant with over twenty-five years experience. Most currently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California; during this time he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.

Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues.


Mr. Ginsberg can be contacted at David A. Ginsberg Consulting, 3 Monte Alto Way, Santa Fe, NM 87508.  Telephone:  877-218-7707.  Email:

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates