IG POLICY TEMPLATES & RESOURCES
FOR HEALTHCARE ORGANIZATIONS

Minimize Risks, Manage Records, and Maximize Compliance

Because no two healthcare organizations are alike in terms of corporate culture and business practices, it is up to you to establish information classifications (confidential, sensitive), define terms (business record), research state laws and regulations, and create best practices-based policies to support compliance. To help jumpstart the process, we give you the NetGovern Policy Package.

Professionally written by the policy experts at the ePolicy Institute, this content is designed to help healthcare entities in the United States minimize risks, manage records, and maximize compliance. Our sample policies incorporate key federal laws and regulations, while eliminating the gobbledygook that confuses employees and reduces compliance. Feel free to use this material as a foundation for your own policies.

sensitive information template for healthcare organizations      records retention template for healthcare organizations      records retention guidelines for healthcare organizations      Retention Rules for healthcare organizations

Bookmark

Confidential & Sensitive Information Policy Template

POLICY TEMPLATE PREVIEW - ORGANIZATION is committed to respecting and protecting the privacy of our business, patients, employees, and other internal and external parties. To that end, ORGANIZATION has established mandatory rules and procedures for the acquisition, access, use, and disclosure of confidential healthcare information and sensitive business records.

Sensitive Information Policy Template

ORGANIZATION’s Confidential & Sensitive Information Policy is designed to help minimize legal and regulatory risks; manage business records; maintain information integrity; and maximize compliance with the Health Insurance Portability and Accountability Act (HIPAA), which requires the safeguarding of protected health information (PHI) and electronic protected health information (EPHI) related to patient health status, medical care, treatment plans, and payment issues.

This Confidential & Sensitive Information Policy governs all information—electronic, hard copy, and spoken—related to ORGANIZATION’s patients, personnel, products, programs, and practices.

Compliance with ORGANIZATION’s Confidential & Sensitive Information Policy is mandatory.

All parties working on behalf of or to benefit ORGANIZATION are required to know, understand, and adhere to this policy. Those parties are referred to as “employees” in this policy and include officers, directors, executives, full-time workers, part-time staff, physicians, nurses, clinical staff, residents, medical students, supervisors, managers, volunteers, interns, business associates, and nonbusiness associate vendors including pharmaceutical and device sales representatives among others.

This Confidential & Sensitive Information Policy applies to hard-copy documents, verbal conversations, and electronic communications conducted via ORGANIZATION-owned and personally owned computer resources, including but not limited to email, text messaging, instant messaging, video conferencing, social media, mobile devices, web, Intranet, smartphones, and landline phones.

 

Word IconDownload the Complete Templateupward arrow

Bookmark

Records Retention Policy Template

POLICY TEMPLATE PREVIEW - ORGANIZATION is committed to preserving, protecting, and producing business records, including protected health information (PHI), electronic protected health information (EPHI), personally identifiable information (PII), and other business-critical information in compliance with the Health Insurance Portability and Accountability Act (HIPAA), federal and state laws and regulations, eDiscovery guidelines, and this Record Retention Policy.

Records Retention Policy Template

For ORGANIZATION, mismanaged, misplaced, or missing business records are more than a nuisance. They are a liability. Failure to safeguard PHI, EPHI, PII, and other business records could trigger lawsuits or HIPAA investigations, resulting in financial, civil, and criminal penalties.

To help manage records, minimize risks, and maximize compliance, ORGANIZATION has established this mandatory Record Retention Policy.

Compliance with ORGANIZATION’s Record Retention Policy and attached retention/deletion schedule is mandatory 24 hours a day, seven days a week, 365 days a year.

All parties working on behalf of or to benefit ORGANIZATION are required to know, understand, and adhere to this policy and its procedures. Those parties are referred to as “employees” in this policy and include officers, directors, executives, full-time workers, part-time staff, physicians, nurses, clinical staff, residents, medical students, supervisors, managers, volunteers, interns, business associates, and nonbusiness associate vendors including pharmaceutical and device sales representatives among others.

This Record Retention Policy applies to hard-copy and electronic records created, transmitted, and stored on ORGANIZATION-owned and personally owned computer resources, including but not limited to email and attachments, text messaging, instant messaging, video conferencing, social media, web, Intranet, mobile devices, laptops, desktops, tablets, and smartphones.

 

Word IconDownload the Complete Templateupward arrow

Bookmark

Records Retention Guidelines

GUIDELINES PREVIEW - For healthcare organizations operating in the United States, mismanaged, misplaced, or missing electronic medical records and business records are more than a nuisance. They are a liability. You are responsible for preserving, protecting, producing, and purging medical records and business records in accordance with federal and state laws and regulations, eDiscovery obligations, administrative and operational needs, statutes of limitations, litigation holds, and the Health Insurance Portability and Accountability Act (HIPAA).

Records Retention Policy Template

Failure to safeguard medical records, including protected health information (PHI) and electronic protected health information (EPHI), could lead to HIPAA investigations, financial penalties, and disgruntled patients. Mismanagement of business records, including electronically stored information (ESI), could trigger million-dollar lawsuits, damaged reputations, and decreased revenues.

Best practices call for healthcare systems, hospitals, providers, and other HIPAA-covered entities to establish strategic record management programs. To that end, the policy and technology experts at the ePolicy Institute and NetGovern offer best practices-based guidelines to help you manage electronic records, minimize legal and regulatory risks, and maximize compliance.

Effective record management begins with policies & procedures. Healthcare professionals create, acquire, transmit, process, and otherwise use mountains of medical records/EPHI and business records/ESI. Get a grip on record management by establishing and enforcing current and comprehensive policies, legally defensible procedures, and strict schedules.

 

PDF IconDownload the Complete Guideupward arrow

Bookmark

Best Practices for the Effective and Compliant Preservation, Protection, & Production of Business Records

WHITE PAPER PREVIEW - For healthcare entities in the United States, mismanaged, misplaced, or missing electronic business records are more than a nuisance. They are a liability. Healthcare organizations are required to preserve, protect, and produce business records, including protected health information (PHI), electronic protected health information (EPHI), personally identifiable information (PII), and other business-critical information in compliance with the Health Insurance Portability and Accountability Act (HIPAA), federal and state privacy legislation, data breach notification laws, encryption regulations, and eDiscovery guidelines.

Records Retention Policy Template

Failure to safeguard EPHI could trigger lawsuits by disgruntled patients, as well as investigations by the Health and Human Services (HHS) Office for Civil Rights (OCR), which enforces HIPAA and investigates data breaches impacting 500 or more individuals. OCR must conduct compliance reviews of HIPAA violations stemming from willful neglect by healthcare providers or their business associates. When the privacy or security of EPHI is breached, OCR can levy civil, criminal, or financial penalties against the offender.

Best practices call for healthcare organizations to establish strategic record management programs, complete with comprehensive, current Record Retention Policy & Procedures. To that end, the policy and technology experts at the ePolicy Institute and NetGovern offer 14 rules to help you manage records, minimize risks, and maximize compliance.

 

PDF IconDownload the Complete White PaperUpward arrow

Get Involved!

 

Let us, and your peers, know your thoughts about this material. Let’s help each other reach a higher Information Governance maturity level through collaboration and community (assess your level with the IG Maturity Index Report). We’ll carefully consider your feedback in the future versions of these resources.

Views reference