Healthcare Administrators

HIPAA Policy Document Drafter

Draft a HIPAA-compliant policy document for a specific privacy or security requirement. This prompt helps healthcare administrators write comprehensive, plain-language HIPAA policies that address regulatory requirements, establish clear staff expectations, and demonstrate good-faith compliance efforts during an audit or breach investigation.

This prompt helps healthcare compliance staff draft a structured HIPAA policy document using organization type, policy subject, regulatory basis, organization size, and any special operational context as inputs — no PHI or patient data is entered or produced. It generates a complete policy document with a formal header, purpose statement, scope, policy statement, step-by-step procedures, roles and responsibilities, a sanctions section, training requirements, documentation and recordkeeping obligations, and a review schedule. It is designed for Privacy Officers, compliance managers, and healthcare administrators at physician practices, hospitals, and business associates building or updating their HIPAA compliance program documentation.

Testedclaude-sonnet-4-6ValidatedMar 2026ScopeThis does not constitute medical advice. Follow HIPAA guidel…TierProfessional
AI Role
You are a senior healthcare administrator with expertise in HIPAA compliance pro…
Models
Claude
Confidence
Professional
Constraints
This does not constitute medical advice. Follow HIPAA guidelines. Recommend consulting qualified healthcare professionals.
Never include actual patient Protected Health Information (PHI) in prompts or outputs.
HIPAA policies must be reviewed by legal counsel and a qualified HIPAA Privacy Officer before adoption — AI-generated policies require professional review.
HIPAA requirements differ for covered entities vs. business associates — confirm which requirements apply to the organization before finalizing policy language.
Tested Models
claude-sonnet-4-6
Uncertainty
If the specific HIPAA requirement or organization type is unclear, generate a general privacy policy framework applicable to a covered entity and note that it must be reviewed against the specific regulatory provisions applicable to the organization.
Scope
PHI-free admin only — use a BAA-compliant AI (e.g. BastionGPT or Azure OpenAI) for PHI.
Last updated
2026-05-28Published

The prompt

1,937 characters
hipaa-policy-drafter.prompt
You are a senior healthcare administrator with expertise in HIPAA compliance program management, privacy policy development, and healthcare regulatory requirements.

Draft a HIPAA policy for the following:

Policy context:
- Organization type: [ORGANIZATION_TYPE — e.g., physician practice, hospital, business associate]
- Policy subject: [POLICY_SUBJECT — e.g., minimum necessary standard, workforce sanctions, access control, breach notification, business associate agreements]
- Regulatory basis: [HIPAA PRIVACY RULE / SECURITY RULE / BREACH NOTIFICATION RULE / OMNIBUS RULE]
- Organization size: [SIZE — individual provider / small practice / medium / large health system]
- Special context: [ANY_SPECIAL_CONTEXT — e.g., telehealth services, remote workforce, electronic health records system]

Draft a policy with the following sections:

## Policy Header
Policy title, policy number format, effective date, review date, and applicable regulatory citations.

## Purpose
Why this policy exists — the specific risk or requirement it addresses.

## Scope
Who this policy applies to: workforce members, departments, contractors, vendors.

## Policy Statement
The organization's clear position on the topic — what is required, what is prohibited.

## Procedures
Step-by-step implementation procedures for staff — specific enough to be actionable.

## Roles and Responsibilities
Who is responsible for what: Privacy Officer, Security Officer, workforce members, management.

## Sanctions
Consequences of policy violation — graduated sanction structure reference.

## Training Requirements
When and how workforce members are trained on this policy.

## Documentation and Recordkeeping
What records must be maintained and for how long (HIPAA requires 6 years).

## Policy Review
How often the policy is reviewed and updated, and who is responsible.

Note: Policies must be reviewed by legal counsel and your Privacy Officer before adoption.
WAITLIST

Runner beta coming — join the waitlist.

In-product execution isn't live yet. Leave your email and we'll let you know if the Runner beta opens.

How to use this prompt

1

1. Identify the specific HIPAA requirement the policy is addressing (cite the regulatory provision) before drafting — this ensures the policy covers the required elements.

2

2. Have both the Privacy Officer and legal counsel review the draft before adoption — HIPAA policies have legal significance and require professional validation.

3

3. Document when the policy was adopted and when each workforce member completed training on it — this documentation is critical during OCR audits.

Customization tips

Add 'The organization uses [specific EHR/technology platform] — include platform-specific procedures for access control and audit logging for that system.'
For multi-site organizations, add 'Address whether this policy applies uniformly across all sites or whether site-specific addendums are required.'
Append 'Include a reference to the Breach Notification Policy for incidents that may constitute a breach of unsecured PHI — cross-reference is important for staff response consistency.'

Sample output

Mar 2026Professional
HIPAA Privacy and Security Policy — Employee Workforce Training Acknowledgment and Policy Overview Policy Reference: PP-001 Effective Date: [Date] Next Review Date: [Annual — Date] Applicable to: All workforce members, contractors, and volunteers with access to protected health information POLICY STATEMENT: [Organization Name] is committed to protecting the privacy and security of all protected health information (PHI) in compliance with applicable federal privacy and security regulations. All workforce members who access, use, transmit, or maintain PHI are required to understand and comply with the obligations described in this policy. DEFINITION OF PROTECTED HEALTH INFORMATION: PHI includes any individually identifiable health information — including demographic information, medical records, billing records, appointment information, and any information that could reasonably be used to identify a patient — in any format (paper, electronic, verbal). CORE PRIVACY OBLIGATIONS FOR ALL WORKFORCE MEMBERS: 1. Minimum Necessary Standard: Access only the PHI necessary to perform your specific job function. Do not access records for patients who are not under your direct care or administrative responsibility. 2. Need-to-Know Basis: PHI may only be disclosed to workforce members who need it to perform their job duties. Internal sharing of PHI must have a legitimate treatment, payment, or healthcare operations purpose. 3. Verbal Privacy: Patient conversations must occur in locations where they cannot be overheard by individuals who do not have a need to know. Do not discuss patient information in public spaces, hallways, or waiting rooms at a volume that can be heard by others. 4. Secure Disposal: PHI in paper format must be shredded using an approved cross-cut shredder before disposal. PHI on electronic media must be disposed of using approved data destruction protocols. 5. Incident Reporting: Any suspected or actual unauthorized access, use, or disclosure of PHI must be reported to the Privacy Officer within 24 hours of discovery. Prompt reporting enables timely breach risk assessment and patient notification if required. Workforce member signature confirming receipt and understanding of this policy is required annually and is maintained in the HR record.

Related prompts

Frequently asked questions

Read the Healthcare Administrators AI Guide
Professional Disclaimer

This AI-generated content is for informational and educational purposes only. It does not constitute medical or legal advice. Always follow HIPAA guidelines and consult qualified healthcare professionals for specific clinical or regulatory matters.