Service providers serving US and EU healthcare organizations  —  who store protected health information (PHI) and other personal data — are both HIPAA “business associates” and either GDPR “controllers” or “processors.” These organizations must abide by both sets of regulations. These policy templates are designed specifically for service providers who provide cloud or hosted information systems, data analytics services, or other similar services.

Eagle Consulting’s HIPAA and GDPR policy templates will save you thousands in consulting fees…

Use Eagle’s HIPAA and GDPR policy templates to create one manual which will position you to:

  • Increase sales with the strong HIPAA and GDPR compliance demanded by prospective customers.
  • Impress customers with your responses to their audits and increase customer retention.
  • Avoid crippling regulatory fines — random HIPAA audits are ongoing and HIPAA and GDPR fines are steep.
  • Reduce anxiety knowing your organization is compliant with HIPAA and GDPR and follows best practices.
  • Protect your organization from costly and embarrassing data loss.
  • Reduce the risk of a financially devastating data breach.

Finally, there is an easy and affordable solution to the need for HIPAA and GDPR policies — comprehensive, customizable HIPAA and GDPR policy templates specifically for software-as-a-service companies who operate internationally with health-related data. Eagle’s HIPAA and GDPR policy templates speed the process of HIPAA and GDPR compliance and help you increase security and avoid fines. Service providers subject to HIPAA and GDPR need policies regarding:

  • the duty to report violations and security incidents,
  • transparency regarding data practices,
  • data subject rights,
  • marketing and website compliance,
  • lawfulness of processing under GDPR,
  • data residency,
  • breach reporting,
  • pseudonymisation and anonymisation/de-identification,
  • disaster recovery and emergency mode operation, among others.

All of these topics and more are covered in these policy templates!

These policy templates were built under the following assumptions, and modifications are likely needed if the following assumptions do not apply to your unique situation:

  • Under GDPR, the organization adopting these policies will be a data “processor” for its clients who are EU healthcare providers, and the organization’s client will be a data “controller”.
  • All data from EU healthcare organizations are maintained in a secure, EU-based data center.
  • All sales, marketing and accounting information are transferred to a US data center
  • Cross-border transfers using Standard Contractual Clauses (note:  When a Privacy Shield Replacement is negotiated, the new mechanism will be added!)

Download Today to Start Updating Your Policies & Procedures for Compliance

The following policies are included:


Policies For All Staff

1000 Definitions
1010 Privacy and Security – General Rules
1020 Data Classification and Privacy/Security Safeguards
1030 Confidentiality Safeguards (Oral & Written)
1050 Computer Usage
1060 Computing Devices and Workstations – Company-owned and BYOD
1070 Employee Work at Home
1080 Duty to Report Violations and Security Incidents

Policies for Data Subject/Patient Rights

1200 Transparency Regarding Data Practices
1210 Data Subject Right of Access to Personally Identifiable Information
1220 Data Subject Right to Rectification
1230 Data Subject Right to Erasure
1240 Data Subject Right to Request restriction of Processing
1250 Complying with Patient HIPAA Rights

Eagle guarantees your satisfaction

Follow instructions to protect HIPAA and GDPR-related data. Eagle guarantees your satisfaction!

GDPR Compliance For Specific Situations

1410 GDPR – Sales, Marketing & Website Compliance

Access Control and Human Resources

1600 Employee System Access
1610 Employee/Contractor Recruiting and Termination
1620 Security Awareness Program
1630 Employee Sanctions

GDPR and HIPAA Compliance

2000 Security Officer, Data Protection Officer and EU Representative
2010 Data Protection by Design and Default
2020 Lawfulness of Processing and Purpose Limitation Under GDPR
2030 GDPR and HIPAA Notifications and Documentation
2035 Privacy-Shield Verification and Certification and GDPR Compliance Validation
2040 Data Residency, Cross-Border Transfers and Data Facility Security
2045 Complaint Resolution Under Privacy Shield
2050 GDPR Agreements – GDPR and Privacy Shield Compliance
2060 Business Associate Contracts – HIPAA Compliance
2070 Breach Reporting – GDPR
2080 Breach Reporting – HIPAA
2090 Disclosures Required by Law

Software Engineering and Customer Support

2500 Technical Support Procedures
2505 Data Conversion and Customer Implementation
2510 Software Development Procedures
2530 Intellectual Property

Data Security and Privacy

3000 Security Management Process
3002 Passwords and Encryption Keys
3004 Pseudonymisation, De-identification, Anonymisation and Storage Limitation
3005 Data Backup
3010 Disaster Recovery Plan and Emergency Mode Operation
3015 Facility Security and Access Control
3020 Periodic Security Evaluation
3025 Audit Control and Activity Review
3030 Malicious Software Protection
3033 Change Management
3040 Security Awareness Program
3050 Device and Media Disposal and Re-Use
3052 Encryption and Key Management
3054 User Account management
3056 Privileged Account management
3060 Technical Safeguards
3062 Technical Controls for Mobile Devices
3090 Security Incident Response and Reporting


Appendix A – Identifying Business Associates
Appendix B – Sample HIPAA BAA – For Use with Subcontractors
Appendix B2 – Sample HIPAA BAA – For Use with Customers
Appendix C – Facility Security and Access Plan
Appendix D – Workforce Access to PHI and Safeguards
Appendix E – Miscellaneous
Appendix F – Disaster Recovery Plan
Appendix G – GDPR Lawfulness of Processing
Employee-Owned Mobile Device Agreement
Company-Owned Mobile Device Agreement
Acknowledgement of HIPAA/GDPR Policies

Eagle Guarantees its Policy Templates

The policy templates are approximately 90 pages and delivered in Microsoft Word format. Policy templates are in Microsoft Word format for easy customization and hyperlink functionality makes for a reader-friendly experience. Perpetual license is granted to the user to use and modify the policies for a single organization. Policies may be used in hardcopy format, or electronically via your organization’s server. When used online, all staff have immediate access. On-line citations and references are included with full hyperlink functionality to allow quick access to the relevant HIPAA, GDPR, and/or various reference materials. The policies were most recently updated in March 2021.


Eagle Consulting offers custom HIPAA and GDPR policy templates

Purchase now:

Protect your organization!

Eagle Consulting offers custom HIPAA and GDPR policy templates

Only Eagle brings decades of healthcare experience to a strong GDPR policy that ALSO covers HIPAA regulations!

Pin It on Pinterest