This sample policy outlines procedures organizations should follow common to proper use or disclosure of protected health information (PHI).

The Health Insurance Portability and Accountability Act (HIPAA) requires a covered entity (CE) to obtain authorization to use or disclose protected health information for all purposes not explicitly permitted under the regulations (45 CFR §164.508[b][4]; §164.508[c]; §164.508[d]). A CE is a firm or individual group that provides healthcare services and that would use private health information. This includes physicians and all other caregivers, healthcare insurance plans, clearing houses and hybrid organizations.