HIPAA Compliance Template for 3rd Party Administrators

Eagle’s policy template helps you increase security, gain compliance, and avoid fines.

HIPAA Policies and Procedures Designed for Third Party Administrators (TPAs)

Eagle’s HIPAA policies for TPAs are designed to meet the regulatory requirements of small- to medium-sized third-party administrators (TPAs) who administer health benefit plans covered by HIPAA.  Notably, under the HIPAA regulations, TPAs are obligated to have detailed, written policies and procedures.  All policies have been updated for HIPAA compliance with the latest requirements, including the HITECH Act of 2009, the Breach Notification Rule, and the 2013 HIPAA Omnibus Rule. Version 2.0 of these policies was released in June 2020 fully updated based on cloud technology trends and employee work-at-home resulting from COVID-19.

HIPAA regulates self-insured group health benefit plans covering medical, dental, and/or vision; health savings accounts; flexible spending accounts; and other types of plans. Consequently, TPAs who administer any of these types of plans are HIPAA Business Associates of the plan and must comply with the HIPAA regulations.

These policies address the requirements that apply to all HIPAA Business Associates.  Plus, the policies provide procedures for the many situations when the TPA acts on the behalf of the health plan, so that these actions are conducted in a HIPAA-compliant manner.

Benefits of Using These Policy Templates Include:

  • Policies are organized by audience to simplify training for staff
  • Quickly bring your technology into compliance with HIPAA rules for TPA Business Associates
  • Saves you $1000’s in consulting fees
  • Ability to customize using Microsoft Word based on unique requirements of your business
  • Satisfaction is guaranteed by Eagle Consulting Partners, a leading consultant for the HIPAA regulations

HIPAA Policy Template for Third Party Administrators

Your comprehensive policy and procedure manual, designed for third party administrators’ compliance with the 2013 HIPAA regulations, in Microsoft Word format.

Avoid HIPAA Penalties

Your organization is subject to both civil and criminal penalties for non-compliance.  That’s right.  Penalties ranging into millions of dollars can be assessed, which makes HIPAA one of the toughest sets of government regulations.  The 4-tier penalty structure is as follows: (see complete federal regulations)

  • Did not know and, by exercising reasonable diligence, would not have known of the violation: Penalty ranges from $100 to $50,000 per violation and up to $1.5 million for identical violation per year.
  • Violation due to reasonable cause and not willful neglect:  $1,000 to $50,000 per violation;
    Up to $1,500,000 per identical violation per year.
  • Violation due to willful neglect and was corrected within 30 days after the covered entity knew or should have known of the violation: Mandatory fine of $10,000 to $50,000 per violation;
    Up to $1,500,000 per identical violation per year.
  •  Violation due to willful neglect, and the violation was not corrected within 30 days after the covered entity knew or should have known of the violation:  Mandatory fine of not less than $50,000 per violation; Up to $1,500,000 per identical violation per year.

SAVE 20% ($100) – type in this code at checkout:  Save-20

Contents Include:

1000 Confidentiality, Privacy and Computer Security Definitions
1010 HIPAA – General Rules
1020 Minimum Necessary Policy
1030 Confidentiality Safeguards (Oral & Written)
1035 Prohibitions on use of Genetic Information and Sale of PHI
1040 Speaking with the Family and Friends of a Participant
1050 Authorizations
1060 Verification
1065 Employee Work at Home
1070 Minors, Personal Representatives and Deceased Participants
1080 Duty to Report Violations and Security Incidents
1090 Disclosures that do Not Require an Authorization

1200 Participant’s Right to Access Records
1210 Participant’s Right to Request Amendment of Records
1220 Participant’s Right to Receive an Accounting of Disclosures
1230 Participant’s Right to Request Additional Restrictions
1240 Participant’s Right to Request Confidential Communications

1300 Mitigation
1340 Privacy Complaints

1350 Policy Updating and Staff Training
1360 Sanctions for Staff Violations of Privacy/Security Policies
1370 Business Associate Agreements and Vendor Management
1380 HIPAA Assignments and Documentation


1500 Employee Background Checks

2000 HIPAA Security Officer and Security Management Process
2010 Data Backup Policy
2020 Disaster Recovery and Emergency Mode Operation Plans
2030 Facility Security and Access Control
2040 Periodic Security Evaluation and/or Third-Party Audits
2050 Audit Control and Activity Review Policy
2060 Malicious Software Protection Policy
2070 Security Awareness Program
2080 Device and Media Disposal and Re-Use
2085 Encryption and Key Management
2087 User Account Management
2088 Privileged Account Management
2090 Technical Safeguards
2092 Technical Controls for Mobile Devices
2095 Change Management
2100 Breach Reporting


Download HIPAA Policy for 3rd Party Administrators
3010 Employee System Access and Termination Procedures

3080 Computer Usage
3082 Use of Social Media
3085 Computing Devices and Workstations – Company-owned and BYOD
3090 Security Incident Response and Reporting

Appendix A – Identifying Business Associates
Appendix B – Sample HIPAA BAA – For Use with Subcontractors
Appendix B2 – Sample HIPAA BAA – For Use with Customers
Appendix C – Sample Privacy & Security Officer Duties
Appendix D – Facility Security and Safeguards for Oral and Written PHI
Appendix E – Workforce Access to PHI and Safeguards
Appendix F – Minimum Necessary – Procedures for Routine Disclosures and Requests
Appendix G – Miscellaneous
Authorization Form
Disclosure Log
Participant Privacy Instructions
Confidentiality Agreement for Cleaning Agency
Employee Acknowledgement of HIPAA Policies and Procedures

Gary Pritts

Gary Pritts, President of Eagle Consulting Partners, Inc.

About the Author:  Gary Pritts is Founder and President of Eagle Consulting Partners. His unique experience that led to these popular HIPAA Policy templates feature a special focus on IT Security with effective policies that staff can carry out efficiently.  Gary understands TPAs as a result of on-site consulting with multiple agencies.  His in-depth understanding of the HIPAA rules, and understanding of ERISA regulations, have allowed him to create these policy templates.   Gary’s extensive experience as consultant to TPAs, insurance plans, hospital trustee, CSO for a cloud healthcare messaging company and services to over 1,000 organizations over the last 15 years uniquely qualify him to create these policies.  He also understands the business aspects of the agency — he holds an MBA from Harvard. All of these experiences have come together to produce a set of unique policy templates that help cover the unique processes of public health agencies gleaned first hand in the public health trenches.

Limited Time Special… Save 20% ($100)  at Checkout… type in this code:  Save-20

Eagle Consulting offers custom HIPAA and GDPR policy templates

Purchase now:

Protect your organization!

Eagle Consulting offers custom HIPAA and GDPR policy templates

Only Eagle brings decades of healthcare experience for Third Party Administrators (TPAs)!

Pin It on Pinterest