HIPAA Policy Document Drafter
Draft a HIPAA-compliant policy document for a specific privacy or security requirement. This prompt helps healthcare administrators write comprehensive, plain-language HIPAA policies that address regulatory requirements, establish clear staff expectations, and demonstrate good-faith compliance efforts during an audit or breach investigation.
This prompt helps healthcare compliance staff draft a structured HIPAA policy document using organization type, policy subject, regulatory basis, organization size, and any special operational context as inputs — no PHI or patient data is entered or produced. It generates a complete policy document with a formal header, purpose statement, scope, policy statement, step-by-step procedures, roles and responsibilities, a sanctions section, training requirements, documentation and recordkeeping obligations, and a review schedule. It is designed for Privacy Officers, compliance managers, and healthcare administrators at physician practices, hospitals, and business associates building or updating their HIPAA compliance program documentation.
The prompt
You are a senior healthcare administrator with expertise in HIPAA compliance program management, privacy policy development, and healthcare regulatory requirements.
Draft a HIPAA policy for the following:
Policy context:
- Organization type: [ORGANIZATION_TYPE — e.g., physician practice, hospital, business associate]
- Policy subject: [POLICY_SUBJECT — e.g., minimum necessary standard, workforce sanctions, access control, breach notification, business associate agreements]
- Regulatory basis: [HIPAA PRIVACY RULE / SECURITY RULE / BREACH NOTIFICATION RULE / OMNIBUS RULE]
- Organization size: [SIZE — individual provider / small practice / medium / large health system]
- Special context: [ANY_SPECIAL_CONTEXT — e.g., telehealth services, remote workforce, electronic health records system]
Draft a policy with the following sections:
## Policy Header
Policy title, policy number format, effective date, review date, and applicable regulatory citations.
## Purpose
Why this policy exists — the specific risk or requirement it addresses.
## Scope
Who this policy applies to: workforce members, departments, contractors, vendors.
## Policy Statement
The organization's clear position on the topic — what is required, what is prohibited.
## Procedures
Step-by-step implementation procedures for staff — specific enough to be actionable.
## Roles and Responsibilities
Who is responsible for what: Privacy Officer, Security Officer, workforce members, management.
## Sanctions
Consequences of policy violation — graduated sanction structure reference.
## Training Requirements
When and how workforce members are trained on this policy.
## Documentation and Recordkeeping
What records must be maintained and for how long (HIPAA requires 6 years).
## Policy Review
How often the policy is reviewed and updated, and who is responsible.
Note: Policies must be reviewed by legal counsel and your Privacy Officer before adoption.Runner beta coming — join the waitlist.
In-product execution isn't live yet. Leave your email and we'll let you know if the Runner beta opens.
How to use this prompt
1. Identify the specific HIPAA requirement the policy is addressing (cite the regulatory provision) before drafting — this ensures the policy covers the required elements.
2. Have both the Privacy Officer and legal counsel review the draft before adoption — HIPAA policies have legal significance and require professional validation.
3. Document when the policy was adopted and when each workforce member completed training on it — this documentation is critical during OCR audits.
Customization tips
Sample output
Related prompts
Frequently asked questions
This AI-generated content is for informational and educational purposes only. It does not constitute medical or legal advice. Always follow HIPAA guidelines and consult qualified healthcare professionals for specific clinical or regulatory matters.