Your review or other use of the documents or other information or services on the HIPAA COW web site (collectively, the “Documents”) will be governed by the terms and conditions stated below. For the purposes of these terms and conditions, if the user is not an individual, then “You” or “you” will include the user’s company, its practitioners, officers, employees, members, agents, successors and assignees. As used below, “HIPAA COW” refers to HIPAA Collaborative of Wisconsin. HIPAA COW may amend these terms and conditions at any time by posting the amended terms on HIPAA COW’s Web site. HIPAA COW holds the Copyright to these Documents. HIPAA COW retains full copyright ownership, rights and protection in all material contained in the Documents.  Any HIPAA COW copyrighted document may be downloaded from the web, printed, and distributed in its entirety as long as: (i) the reproduced document contains the original HIPAA COW copyright and disclaimer and (ii) the document is provided free of charge. Any entity who wishes to adopt part or all of a document for its own internal compliance may do so without the copyright as long as the document is adopted solely for internal purposes and HIPAA COW is referenced as a source. Any other use of copyrighted material is prohibited without the express written permission of HIPAA COW. These Documents are provided “as is” without any express or implied warranty. These Documents are for educational purposes only and do not constitute legal advice. If you require legal advice, you should consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption issues related to these Documents. Therefore, these Documents may need to be modified in order to comply with Wisconsin/State law. Though HIPAA COW believes reasonable efforts have been made to ensure the accuracy of the information contained in the Documents, it may include inaccuracies or typographical errors and may be changed or updated without notice. It is intended for discussion and educational purposes only and is provided “AS IS” WITHOUT WARRANTY OF ANY KIND AND RELIANCE ON ANY INFORMATION PRESENTED IS AT YOUR OWN RISK. HIPAA COW AND ITS CONTRIBUTORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, AND ANY AND ALL PRODUCTS, SERVICES AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. In no event shall HIPAA COW be liable for any direct, indirect, punitive, incidental, special, or consequential damages or damages for loss of profits, revenue, data, down time, or use, arising out of or in any way connected with the use of these Documents or performance of any services, whether based on contract, tort, negligence, strict liability or otherwise. If you are dissatisfied with any portion of the Documents, or with any of these terms of use, your sole and exclusive remedy is to discontinue using the Document. If this limitation of liability or the exclusion of warranty is held inapplicable or unenforceable for any reason, then HIPAA COW’s maximum liability for any type of damages shall be limited to U.S. $100.00. This agreement shall be construed in accordance with the laws of the State of Wisconsin without regard to its conflict-of-law provisions. You hereby irrevocably consent to the exclusive jurisdiction and venue of courts in Dane County, Wisconsin for all disputes arising out of or relating in any way to the use of these Documents. The listing of an organization or a Web link on the HIPAA COW web site does not imply any endorsement and HIPAA COW takes no responsibility for the products, tools, and Internet sites listed. Documents may contain links to other sites over which HIPAA COW has no control. The inclusion of any link does not imply endorsement by HIPAA COW of the site or the site’s contents or owner. By using any Documents to search for or link to another site, you agree and understand that you may not make any claim against HIPAA COW for any damages or losses, whatsoever, resulting from your use of the Web site to obtain search results or to link to another site. The information and content provided by HIPAA COW is for informational purposes only. HIPAA COW disclaims any responsibility to update any information, including with respect to any new legal, business, or technology developments. The information is not intended to and does not constitute legal, financial, or other professional advice. HIPAA COW is not licensed to practice law in any jurisdiction and the accuracy, completeness, adequacy, or currency of the information is not warranted or guaranteed and any use of it is at your own risk. If you require legal advice, you should consult with an attorney. HIPAA COW may terminate these terms and conditions and your use of these Documents at any time if you violate any provision of these terms and conditions. Termination of these terms and conditions will not affect any obligations that accrued before the termination. If you understand and accept these conditions of use, click “I Accept” to enter the HIPAA COW Sample Documents Portal page.    

Accept Decline

Privacy & Security Documents



  1. Disclosures for TPO & Imminent Threat
  2. HIPAA COW Telemedicine Policy
Access to Protected Health Information (PHI) 164.524
  1. Patient Right to Access, Inspect and Copy Protected Health Information
  2. Minors Privacy Right Access
  3. Provider Model Privacy Notice
  4. Provider Notice of Privacy Practice
  5. Charging for copies of PHI
Accounting of Disclosures                                   164.528
  1. Accounting of Disclosures
Alternative Communications 164.522 (b)
  1. Individual Right to Request Alternative Communications
Amendment                                                     164.526
  1. Amendment Policy
  2. Amendment Form
  3. Sample Letters for Amendment Policy
Auditing/Activity Review


  • Audit Controls 164.312(b)
  • Information System Activity Review 164.308(a)(1)(ii)(D)
  • Log-in Monitoring 164.308(a)(5)(ii)(C)
  • Protection from Malicious Software 164.308(a)(5)(ii)(B)
  1. Information System Activity Review Policy (formerly named Auditing Policy)
Authorization 164.508
  1. Consent for Disclosure of Patient PHI
  2. Validity of Patient Authorization
  3. Authorization Elements Grid
  4. WI Authorization Form
  5. Audio, Video and Photo Consent 10.1.17
  6. Issue of Requiring Authorization Forms to include Copy or Fax – Position Statement
Breach Notification   Part 164 Subpart D


  • Sanction Policy 164.308(a)(1)(ii)(C)
  1. 2013 Omnibus Rule Version Breach Notification Policy – Compliance Date 9/23/13
  2. Privacy Officer Breach Notification Checklist
Business Associate


  • 164.308(b)
  • 164.314
  • 164.504(e)
  • HITECH Sections 13401(a), 13404, 13408
  1. BA Agreement Omnibus Rule
  2. Business Associate Agreement Policy/Procedure
  3. BA Training PPT
Complaint  164.530(d)(1)
  1. Privacy Complaint Policy & Form
Contingency Plan 164.308(a)(7)


  • Contingency Operations 164.310(a)(2)(i)
  • Emergency Access Procedure 164.312(a)(2)(ii)
  1. Contingency Planning Whitepaper
Consumer Guide
  1. Wisconsin Consumer HIPAA Guide PDF
Data Management


  • Accountability 164.310(d)(2)(iii)
  • Data Backup and Storage 164.310(d)(2)(iv)
  • Data Backup Plan 164.308(a)(7)(ii)(A)
  • Device and Media Controls 164.310(d)
  1. Data Management & Backup 
De-Identification 164.514
  1. De-ID vs LDS
Designated Record Set  164.501
  1. Designated Record Sets
Device & Media Controls 164.310(d)


  • Disposal 164.310(d)(2)(i)
  • Media Re-use 164.310(d)(2)(ii)
  • Portable Handheld Devices
  • Removable Media
  1. Media Sanitization for Disposal or Reuse
  2. Portable Handheld Device Policy
  3. Removable Media Policy
Employee Health
  1. Management of Employee Health Records Whitepaper
Facility Access Controls 164.310(a)(1)


  • Access Control & Validation Procedures 164.310(a)(2)(iii)
  • Facility Security Plan 164.310(a)(2)(ii)
  1. Facility Access Policy
Facility Maintenance Records 164.310(a)(2)(iv)
  1. Facility Repairs and Maintenance
Fundraising  164.514(f)(1)
  1. Fundraising Policy Doc
Group Health Plan Requirements


  • 164.314(b)
  • 164.504(f)
  1. Plan Documents Policy
Information Access Management 164.308(a)(4)(i)


  • Access Control 164.312(a)(1)
  • Access Establishment and Modification 164.308(a)(4)(ii)(C)
  • Authorization and/or Supervision   164.308(a)(3)(ii)(A)
  • Automatic Logoff 164.312(a)(2)(iii)
  • Isolating Healthcare Clearinghouse Function 164.308(a)(4)(ii)(A)
  • Password Management 164.308(a)(5)(ii)(D)
  • Person or Entity Authentication 164.312(d)
  • Termination Procedures 164.308(a)(3)(ii)(C)
  • Unique User Identification 164.312(a)(2)(i)
  • Workforce Clearance Procedure   164.308(a)(3)(ii)(B)
  • Workforce Security 164.308(a)(3)(i)
  • Workstation Use 164.310(b)
  1. System Access Policy
  2. Remote Access Policy
  3. Information Blocking Roadmap/Decision Tracker Template
Judicial Proceeding 164.512(e)
  1. Policy & Procedure for Use and Disclosure of PHI for Judicial and Administrative Proceedings
Law Enforcement 164.512(f)
  1. HIPAA & Wisconsin Law Enforcement
  2. Drug Seeking Behavior Whitepaper
  3. 2016 Privacy Rule Modification—Firearms Safety
  4. Use of Body Cameras by Law Enforcement
Limited Data Set  164.514
  1. De-ID vs LDS
Marketing  164.501
  1. Marketing Policy Doc
  1. Disclosure of PHI to the Media
Minimum Necessary 164.514
  1. Minimum Necessary Training PPT
  2. Minimum Necessary Doc
Notice of Privacy Practice 164.520
  1. Privacy Notice Policy – Provider
  2. Model Privacy Notice – Provider
  3. Notice of Privacy Acknowledgement
  4. Privacy Notice Policy – Payer
  5. Model Privacy Notice – Payer
  6. Patient Privacy Rights – Policy
  7. Patient Privacy Rights – PowerPoint
Occupational Health
  1. Occupational Health Whitepaper 4-15-13
Policies & Procedures


  • Privacy 164.530(i)
  • Security 164.316
  1. Example Policy & Procedure Template
  2. HIPAA Security Policy and Procedure Checklist
  3. Security Standards and Associated P&Ps 
Preemption with Wisconsin Law


  • Part 160 Subpart B
  1. Preemption Analysis Supplement Definitions
  2. Preemption – WI 146 Pdf
  3. Preemption – WI 51.30 Pdf
  4. Preemption – WI 252 Pdf
  5. Preemption – 256.15(12): Ambulance Records Preemption Analysis
  6. Preemption Matrix (Payer) Doc
  7. HIPAA Harmonization Guidance WHIMA
Privacy Officer  164.530(a)
  1. HIPAA Implementation & Oversight
Psychotherapy Notes  164.508(a)(2)
  1. Psychotherapy Notes
Remote Access Policy
  1. Remote Access Policy Document
Restriction Request  164.522 (a)
  1. Individual Right to Request Restrictions on How PHI is Used/Disclosed for TPO
Risk Analysis & Management


  • 164.308 (a)(1)(ii)(A) and (B)
  • Evaluation 164.308(a)(8)
  • Meaningful Use – CMS EHR Incentive program
  • Protect Electronic Health Information Requirements
  • Safeguards – Administrative 164.306
  • Safeguards – Physical 164.310
  1. Risk Management Policy Doc
  2. Risk Toolkit Guide
  3. Risk Assessment Template
  4. Privacy, Security, & Meaningful Use Questions to Ask Vendors Doc
Safeguards  164.530 (c)
  1. Communication of PHI Policy Doc
Security Incident Procedures 164.308(a)(6)


  • Security Management Process 164.308(a)(1)(i)
  1. Security Incident Response

Also Refer to Breach Notification Section

Security Oversight:


  • General Rules 164.306
  • Policies & Procedures & Documentation Requirements 164.316
  • Security Awareness and Training 164.308(a)(5)(i)
  • Security Reminders 164.308(a)5)(ii)(A)
  • Sanction Policy 164.308(a)(1)(ii)(C)
  1. HIPAA Security Oversight Policy
  2. Security Benchmarking Whitepaper
  3. Cyber Hygiene Guidelines

Also Refer to Training Section

Social Media
  1. Social Media Guidelines
Technical Access Control:


  • Encryption 164.312(e)(2)(ii)
  • Encryption and Decryption 164.312(a)(2)(iv)
  • Integrity 164.312(c)
  • Integrity Controls 164.312(e)(2)(i)
  • Transmission Security 164.312(e)(1)
  1. Encryption Whitepaper


  • 164.530(b)(1)
  • 164.308(a)(5)
  1. Privacy & Security Training Session PowerPoint

Also Refer to Security Oversight Section

Treatment Uses and Disclosures  164.506
  1. Position Statement: Disclosing of PHI for Treatment Purposes
Verification of Identity 164.514(h)
  1. Identity Verification
Workers Compensation  164.512(l)
  1. Workers Compensation