Professional Learning Center

HIPAA Omnibus & BAA Template Kit


All templates are in Microsoft Word format.

The PLC Store is currently not available.

For questions, contact Teyana Reed at (212) 742-1600 x101 or

HIPAA Omnibus Policy & Procedures, plus Forms and Templates Kit And Updated Business Associate Agreement

The Coalition and COFCCA are pleased to announce the availability of a set of 38 HIPAA Policy Templates for HIPAA Privacy, Security and Breach Notification Rules and an updated Business Associate Agreement all of which conform to the HIPAA Omnibus Update released January 25, 2013 and the technical correction published June 7, 2013.

The final Omnibus Rule is effective as of March 26, 2013. Covered entities and all Business Associates have 180 days from the effective date (September 23, 2013)  to come into compliance with the final rule’s provisions.

These templates were written by Jim Sheldon-Dean of Lewis Creek Systems, LLC and Susan A. Miller, JD.

The kit includes an introductory chapter on how to use the following policy templates:

  1. Workforce Compliance with HIPAA Provisions
  2. Information Security Management Process
  3. Information Privacy and Security Sanction Policy
  4. Assigned Privacy and Security Responsibility
  5. Workforce Authorization and Clearance
  6. Termination Procedures
  7. Information Access Management
  8. Information Security Awareness and Privacy Training
  9. Information Privacy and Security Incident Procedures
  10. Data Backup Policy
  11. Contingency Plan
  12. Information Privacy and Security Evaluation
  13. Contracts and Memoranda of Understanding regarding Protected Health Information – HIPAA Business Associates
  14. Facility Access Controls
  15. Use of Electronic Mail and Facsimile Transmissions
  16. Workstation Use Policy
  17. Electronic Information Device and Media Controls
  18. Technical Access control and Authentication
  19. Perimeter Security Policy
  20. Remote Access Policy
  21. Data Encryption Policy
  22. Information Systems Audit Controls
  23. Data Integrity Policy
  24. HIPAA Requirements for the Group Health Plan
  25. Documentation of HIPAA Compliance
  26. Information Disposal Policy
  27. Policy on Uses and Disclosures and Minimum Necessary
  28. Alternative Communications of Health Information
  29. Requests for Disclosures of Protected Health Information
  30. Accounting of Disclosures of Protected Health Information
  31. HPAA Authorizations
  32. Policy on Designated Record Sets
  33. Notice of Privacy Practices
  34. Policy on Individual Access, Amendment and Restriction on Use of Protected Health Information
  35. General Policy on Disclosures of Protected Health Information that are Required by Law
    1. Disclosure of Protected Health Information to Regulators
    2. Subpoenas, Court Orders, Discovery Requests and other Legal Processes and the Disclosure of Protected Health Information
    3. Disclosure of Protected Health Information to Workers’ Compensation Programs
    4. Verification of the Identity and Authority of a Person Requesting Disclosure of Protected Health InformationDe-identification of Data and Limited Data Sets
  36. Fundraising
  37. Marketing Activities and Sale of PHI