Privacy Policy for Healthcare & HIPAA: The Complete Guide
Healthcare organizations handle the most sensitive category of personal data: Protected Health Information (PHI). A generic privacy policy is not enough. Federal law under HIPAA mandates specific disclosures, patient rights, and data handling procedures that no other industry requires. Getting it wrong means fines up to $2.1 million per violation category per year — and potential criminal prosecution. Here's how to build a compliant healthcare privacy policy from scratch.
Generate Your Healthcare Privacy Policy in 2 Minutes
Skip the $5,000+ healthcare attorney bill. PolicyForge creates HIPAA-aware privacy policies tailored to your practice type, telehealth usage, and data handling procedures.
Why Healthcare Businesses Need Special Privacy Policies
Unlike a standard e-commerce store or SaaS product, healthcare organizations are “covered entities” under the Health Insurance Portability and Accountability Act (HIPAA). This federal law, enacted in 1996 and significantly strengthened by the HITECH Act of 2009, imposes strict requirements on how Protected Health Information is collected, stored, transmitted, and disclosed. A generic website privacy policy does not satisfy these obligations.
Federal Law, Not Just Best Practice
HIPAA is a federal mandate. Every healthcare provider, health plan, and healthcare clearinghouse that transmits health information electronically must comply. This is not optional guidance — it carries civil and criminal penalties.
Notice of Privacy Practices (NPP) Requirement
HIPAA requires covered entities to provide patients with a Notice of Privacy Practices that explains how their PHI may be used and disclosed. This is a separate legal document from a website privacy policy, and many organizations need both.
Broader Scope Than Other Regulations
HIPAA covers not just digital data but paper records, verbal communications, faxes, and any medium containing PHI. Your privacy policy must address all channels through which patient information flows.
State Laws Add Additional Requirements
States like California (CMIA), Texas (THIPA), and New York have healthcare privacy laws that layer on top of HIPAA. When state law is more protective than HIPAA, the stricter standard applies. Your privacy policy must account for the jurisdictions you operate in.
Who Must Comply with HIPAA Privacy Requirements
HIPAA compliance is not limited to hospitals. The law covers a wide range of organizations, and many businesses do not realize they fall under its scope until an audit or breach occurs.
Covered Entities
These are organizations that directly handle PHI as part of their core operations. This includes hospitals and health systems, physician and dental practices, pharmacies, health insurance companies, nursing facilities, mental health providers, laboratories, and any provider that transmits health information electronically in connection with a HIPAA-covered transaction (such as claims or eligibility inquiries).
Business Associates
Any organization that performs functions or activities on behalf of a covered entity that involve access to PHI is a “business associate” under HIPAA. This includes EHR (Electronic Health Record) vendors, cloud hosting providers storing patient data, medical billing companies, IT support firms with access to systems containing PHI, telehealth platform providers, email services used for patient communication, and data analytics companies processing health data. Business associates must sign a Business Associate Agreement (BAA) and are directly liable for HIPAA violations.
Digital Health Startups and Apps
If your health app, wearable platform, or digital therapeutics tool collects health information and works with or on behalf of a covered entity, HIPAA likely applies. Even if HIPAA does not directly apply, the FTC Health Breach Notification Rule may require similar privacy protections. The safest approach is to build HIPAA-grade privacy practices from the start.
HIPAA Requirements for Privacy Policies
The HIPAA Privacy Rule (45 CFR Part 164) establishes specific elements that must be included in your Notice of Privacy Practices and, by extension, your overall privacy documentation. Here is what the law requires:
Describe how PHI may be used for treatment, payment, and healthcare operations. List other permitted uses (e.g., public health, law enforcement, research) and situations requiring patient authorization.
Enumerate all patient rights under HIPAA: right to access PHI, right to request amendments, right to an accounting of disclosures, right to request restrictions, right to confidential communications, and right to a paper copy of the NPP.
State the organization's obligation to protect PHI, abide by the terms of the NPP, and notify patients of breaches. Include a statement that the entity is required by law to maintain the privacy of PHI.
Provide the name, title, and contact information of the person or office to contact for further information about the privacy practices. Include a phone number.
The NPP must include the date on which it is first in effect and must be updated whenever material changes are made.
Inform patients they can file complaints with the organization and with the Secretary of Health and Human Services (HHS). Include contact details for both and state that no retaliation will occur for filing a complaint.
Describe your commitment to using, disclosing, and requesting only the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure.
Explain when patient authorization is required before disclosing PHI — including marketing, sale of PHI, psychotherapy notes, and uses not described in the NPP.
Protected Health Information (PHI): What It Covers
PHI is any individually identifiable health information created or received by a covered entity that relates to the past, present, or future physical or mental health of an individual, the provision of healthcare, or the payment for healthcare. Understanding what qualifies as PHI is essential for writing an accurate privacy policy.
The 18 HIPAA Identifiers
HIPAA defines 18 types of identifiers that, when combined with health information, create PHI. Your privacy policy should address how you handle each category that applies to your practice:
Names
Dates (birth, admission, discharge, death)
Phone and fax numbers
Email addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers
Web URLs and IP addresses
Biometric identifiers (fingerprints, voiceprints)
Full-face photographs and comparable images
Geographic data smaller than a state
Any other unique identifying number or code
Electronic PHI (ePHI) and the Security Rule
When PHI is created, received, maintained, or transmitted in electronic form, it becomes ePHI and is subject to the HIPAA Security Rule in addition to the Privacy Rule. Your privacy policy should address the technical safeguards you employ: encryption at rest and in transit, access controls, audit logging, automatic session timeouts, and secure backup procedures. For healthcare websites and apps, this means HTTPS encryption, encrypted databases, role-based access controls, and audit trails for all PHI access.
Telehealth-Specific Privacy Requirements
The rapid expansion of telehealth has created new privacy challenges. If you offer virtual consultations, remote patient monitoring, or any form of digital healthcare delivery, your privacy policy must address these specific concerns:
Video and Audio Recording
Clearly state whether telehealth sessions are recorded. If recordings are made, explain the purpose, how they are stored, who can access them, and how long they are retained. Many states require two-party consent for recording conversations.
Platform Security
Identify the telehealth platform used and confirm it has signed a BAA with your organization. Consumer-grade tools like standard Zoom (non-healthcare), FaceTime, or Skype are generally not HIPAA compliant. Use platforms specifically designed for healthcare: Doxy.me, Zoom for Healthcare, or similar services that offer BAAs.
Patient Location and Licensing
Your privacy policy should note that telehealth services may be subject to different state laws depending on where the patient is located. Some states have stricter privacy requirements than HIPAA, and the patient's state law generally governs.
Remote Patient Monitoring Data
If you use wearables, connected devices, or patient-reported outcomes tools, describe what data is collected continuously, how it is transmitted securely, and the circumstances under which this data may be shared with other providers or researchers.
Messaging and Patient Portals
If patients can message providers through a portal or app, explain the security measures in place for these communications. Clarify that standard email and SMS are not secure channels for PHI unless encrypted, and recommend patients use the portal for sensitive communications.
Patient Rights Under HIPAA
Your privacy policy must clearly communicate each right that patients hold under the HIPAA Privacy Rule. Failure to include these or to honor them is a direct violation.
Patients have the right to inspect and obtain a copy of their PHI maintained in a designated record set. You must respond within 30 days (one 30-day extension permitted). You can charge a reasonable, cost-based fee for copies. Under the 21st Century Cures Act, patients also have the right to access their electronic health information via API without special effort.
Patients can request corrections to their PHI if they believe it is inaccurate or incomplete. You may deny the request under limited circumstances but must provide a written explanation and allow the patient to submit a statement of disagreement.
Patients can request a list of disclosures of their PHI made by the covered entity for the previous six years, excluding disclosures for treatment, payment, and healthcare operations. You must track and provide this within 60 days.
Patients can request restrictions on how their PHI is used or disclosed for treatment, payment, or operations. You are not required to agree, except in one case: if the patient pays out of pocket in full, you must restrict disclosure to their health plan upon request.
Patients can request that communications about their health information be sent to a specific address or by a specific method. For example, a patient may request that appointment reminders not be left on a shared voicemail. You must accommodate reasonable requests.
Even if a patient has agreed to receive the Notice of Privacy Practices electronically, they retain the right to request a paper copy at any time.
Patients can file a complaint with the covered entity or directly with the HHS Office for Civil Rights if they believe their privacy rights have been violated. No retaliation is permitted.
Business Associate Agreements (BAAs)
A Business Associate Agreement is a legally binding contract between a covered entity and a business associate that establishes the permitted uses and disclosures of PHI by the business associate. Your privacy policy should reference your use of business associates and the protections in place.
What a BAA Must Include
A valid BAA must specify the permitted and required uses of PHI by the business associate, prohibit the business associate from using or disclosing PHI other than as permitted, require the business associate to implement appropriate safeguards, require reporting of any unauthorized use or disclosure, ensure that any subcontractors agree to the same restrictions, make PHI available to fulfill patient access requests, return or destroy PHI at termination of the contract, and make internal practices available to HHS for compliance audits.
Common Business Associates in Healthcare
EHR Vendors
Epic, Cerner, Athenahealth, DrChrono
Cloud Hosting
AWS (with BAA), Google Cloud (with BAA), Azure
Billing Services
Medical billing companies, clearinghouses
Telehealth Platforms
Doxy.me, Zoom for Healthcare, Teladoc
Payment Processors
Stripe (with BAA), PayPal (limited PHI)
IT Support / MSPs
Any IT vendor with access to systems containing PHI
Your privacy policy should note that all vendors with access to PHI have signed BAAs and are contractually obligated to protect patient information to the same standard as the covered entity.
Healthcare Data Breach Notification Requirements
The HIPAA Breach Notification Rule (45 CFR 164.400-414) requires covered entities to notify affected individuals, HHS, and in some cases the media when a breach of unsecured PHI occurs. Your privacy policy should describe your breach notification procedures.
Individual Notification
Affected individuals must be notified without unreasonable delay and no later than 60 days after discovery of the breach. Notification must be by first-class mail (or email if the individual has agreed to electronic notice) and must include: a description of the breach, the types of information involved, steps individuals should take to protect themselves, what you are doing to investigate and mitigate, and contact procedures for questions.
HHS Notification
Breaches affecting 500 or more individuals must be reported to HHS within 60 days. These appear on the HHS “Wall of Shame” — a public list of breaches. Breaches affecting fewer than 500 individuals can be reported annually but must still be logged.
Media Notification
If a breach affects 500 or more individuals in a single state or jurisdiction, you must notify prominent media outlets serving that area within 60 days.
Business Associate Obligations
Business associates that discover a breach must notify the covered entity without unreasonable delay and no later than 60 days after discovery, providing the identity of each individual affected.
Common HIPAA Violations in Privacy Policies
The HHS Office for Civil Rights regularly audits healthcare organizations and issues fines for privacy policy deficiencies. These are the most commonly cited violations:
Using a Generic Template Without Customization
A privacy policy that does not reflect your actual data practices is a violation. If your NPP says you do not share data with business associates but you use a cloud EHR, you are non-compliant. Every policy must be tailored to your specific operations.
Failing to Update After Changes
Adding a new telehealth platform, switching EHR vendors, or changing billing practices all require privacy policy updates. The most common violation is failing to revise the NPP when material changes occur.
Omitting Patient Rights
Every HIPAA right must be described in the NPP. Omitting the right to an accounting of disclosures or the right to request restrictions is a direct violation, even if you would honor the request in practice.
No Designated Privacy Officer Contact
HIPAA requires the NPP to include the name or title and telephone number of a contact person or office. Many small practices list only a generic email address, which does not satisfy the requirement.
Not Addressing Electronic Communications
If your practice sends appointment reminders via text, uses patient portals, or communicates via email, the privacy policy must address the security of these channels and the risks of unencrypted communication.
Lacking a Breach Notification Procedure
The NPP must describe how patients will be notified in the event of a breach. Many organizations fail to include this required element.
HIPAA vs GDPR: How They Differ for Healthcare
If your healthcare organization treats patients from the EU or has any EU presence, you must comply with both HIPAA and GDPR. While both protect personal data, they differ significantly in scope and approach.
| Dimension | HIPAA | GDPR |
|---|---|---|
| Scope | Covered entities and business associates in the US | Any organization processing EU residents' data |
| Data covered | Protected Health Information (PHI) only | All personal data, including health data as a special category |
| Consent model | Consent not required for treatment, payment, operations | Explicit consent required for processing health data (Article 9) |
| Right to erasure | No general right to delete; amendment rights instead | Right to erasure (right to be forgotten) with exceptions |
| Data portability | Right to access and obtain copies | Right to data portability in machine-readable format |
| Breach notification | 60 days to notify individuals | 72 hours to notify supervisory authority |
| Maximum penalties | $2.1M per violation category/year | €20M or 4% of global annual revenue |
| DPO requirement | Privacy Officer required (any designated person) | Data Protection Officer required for large-scale health data processing |
If both regulations apply, you must meet the stricter requirement in each category. For example, GDPR's 72-hour breach notification deadline supersedes HIPAA's 60-day window for EU patients. GDPR's explicit consent requirement for health data processing is stricter than HIPAA's treatment-payment-operations exceptions.
HIPAA Penalty Structure
HIPAA violations are assessed based on the level of culpability. Understanding the penalty tiers helps illustrate why compliance is not optional.
| Tier | Culpability Level | Per Violation | Annual Cap |
|---|---|---|---|
| Tier 1 | Did not know (and could not reasonably have known) | $137 - $68,928 | $68,928 |
| Tier 2 | Reasonable cause (not willful neglect) | $1,379 - $68,928 | $137,886 |
| Tier 3 | Willful neglect, corrected within 30 days | $13,785 - $68,928 | $344,638 |
| Tier 4 | Willful neglect, not corrected | $68,928+ | $2,067,813 |
Criminal penalties can also apply: up to $50,000 and one year in prison for knowingly obtaining PHI in violation of HIPAA, up to $100,000 and five years for offenses committed under false pretenses, and up to $250,000 and ten years for offenses committed with intent to sell or use PHI for commercial gain or malicious harm.
The Cost of Healthcare Privacy Compliance
| Approach | Cost | Time | Coverage |
|---|---|---|---|
| Healthcare attorney | $3,000 - $10,000+ | 2 - 6 weeks | Customized to your practice |
| HIPAA compliance consultant | $5,000 - $20,000 | 4 - 12 weeks | Full compliance program |
| Enterprise compliance SaaS | $200 - $800/month | 1 - 2 weeks setup | Policy templates + training |
| DIY with free template | $0 (+ your time) | 8 - 20+ hours | Risk of gaps and errors |
| PolicyForge Pro | $12.99 (one-time) | 2 minutes | HIPAA-aware policy + compliance scan |
PolicyForge Pro: $12.99 one-time. Generate unlimited privacy policies, terms of service, and cookie policies. Includes compliance scanning for HIPAA, GDPR, and CCPA requirements. No subscription. No hidden fees.
FAQ: Healthcare Privacy Policies and HIPAA
Is a website privacy policy the same as a HIPAA Notice of Privacy Practices?
No. A website privacy policy covers how your website collects and uses visitor data (cookies, analytics, form submissions). A HIPAA Notice of Privacy Practices (NPP) is a separate legal document describing how you use and disclose Protected Health Information. Most healthcare organizations need both documents. Your website privacy policy should reference the NPP and link to it.
Does my small medical practice really need to worry about HIPAA privacy policies?
Yes. HIPAA applies to all healthcare providers who transmit health information electronically, regardless of size. A solo practitioner who submits electronic claims is just as liable as a hospital system. In fact, small practices are increasingly targeted in HHS audits because they are more likely to have compliance gaps.
Do I need a BAA with every software vendor I use?
You need a BAA with every vendor that creates, receives, maintains, or transmits PHI on your behalf. This includes your EHR, cloud hosting, billing service, email provider (if used for patient communication), and telehealth platform. It does not include vendors who never access PHI, such as your website hosting provider (if no patient data passes through the website) or your office supply company.
What happens if I have a data breach but my practice is small?
Size does not exempt you from breach notification requirements. All breaches of unsecured PHI must be reported, regardless of the number of individuals affected. Breaches affecting fewer than 500 individuals can be reported to HHS annually rather than within 60 days, but you must still notify each affected individual without unreasonable delay. Failure to report is itself a HIPAA violation.
Can I use Google Analytics on my healthcare website?
Yes, but with caution. Google Analytics on a general informational healthcare website (appointment scheduling, service descriptions) is generally acceptable. However, if your website includes a patient portal, online intake forms, or any feature where PHI is entered, you must ensure analytics tools do not capture PHI in URLs, form fields, or page titles. Google Analytics does not sign BAAs, so it should never have access to PHI. Use server-side analytics or privacy-focused alternatives for pages that handle patient information.
How does the FTC Health Breach Notification Rule affect health apps?
If your digital health app or wearable does not meet the definition of a HIPAA covered entity or business associate, you may still be subject to the FTC Health Breach Notification Rule. This rule requires vendors of personal health records and related entities to notify consumers and the FTC following a breach of unsecured health information. Penalties for non-compliance are up to $50,120 per violation per day. Your privacy policy should address this if your app collects health-related data.
Do I need to encrypt patient emails?
HIPAA does not explicitly mandate encryption, but it is an “addressable” safeguard under the Security Rule. This means you must either implement encryption or document why an equivalent alternative safeguard is reasonable and appropriate. In practice, if you communicate with patients via email about their health conditions, medications, or treatment plans, encryption is effectively required. If a patient requests unencrypted email communication, you should document the request and warn them of the risks in writing.
How often should I update my HIPAA privacy policy?
Review and update whenever you make material changes to your privacy practices — adding a telehealth platform, changing EHR vendors, expanding to new service lines, or starting to share data with new business associates. At minimum, conduct an annual review to ensure accuracy. HIPAA requires that the revised NPP be made available upon request and posted prominently on your website within 60 days of any material revision.
Protect Your Practice. Protect Your Patients.
HIPAA compliance is not optional, and the penalties for getting it wrong are severe. Generate a healthcare-ready privacy policy in under 2 minutes and scan your existing website for compliance gaps before an auditor does.
Free tier: 2 generations/day. Pro: $12.99 one-time for unlimited.