Foundations in Privacy Toolkit

As many health care providers know and experience, exchanging patient information can be challenging from both a legal and operational perspective. From the legal perspective, providers are forced to sort through the myriad of privacy laws, rules, and regulations and determine which rules apply to a particular use or disclosure of patient information. Given that Minnesota Law often conflicts with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this is no easy feat. From an operational perspective, organizations are required by HIPAA to develop privacy policies and procedures and train their workforce on these complex rules.

The Foundations in Privacy Toolkit (the “Toolkit”) was developed to address these challenges. In 2013, the Minnesota Departments of Health and Human Services were awarded  $45 million in grant funding by The Center for Medicare and Medicaid Innovation (CMMI) as part of a State Innovation Model (SIM) cooperative agreement. The Minnesota Department of Health (MDH) used part of this funding to develop the Privacy, Security and Consent Management for Electronic Health Information Exchange grant, in which MDH partnered with the firm to analyze legal barriers and develop tools to support the exchange of health information in Minnesota. The Toolkit was developed as part of this grant.

The Toolkit contains the following types of material, organized by subject area:

  • Template policies and procedures
  • Flow charts
  • Template agreements
  • Checklists

These documents can be used by providers in many ways. The policy and procedure documents can be customized and implemented as part of an organization’s HIPAA privacy compliance efforts. The flow charts and checklists can be used to analyze business relationships and unique disclosure situations, and the template agreements can be used to guide negotiations and simplify execution. All of the documents can be used to educate and train workforce.

It is important to note that the Toolkit is a foundation for HIPAA and Minnesota law compliance. It does not address every scenario, and providers will need to supplement these materials to include legal requirements and standards specific to their organization. Further, some areas of privacy law are subject to multiple interpretations; while we have described alternative views for some of these issues we have not attempted to address all of the areas where differing interpretations exist. Providers will also need to modify Toolkit documents as the law changes.

This Toolkit is not intended as legal advice, which may often turn on specific facts.  Readers should seek specific legal advice before acting with regard to the subjects mentioned herein. Please feel free to contact Lathrop GPM’s Health Law Group for more information.

Click here to view the full toolkit (.pdf)

Table of Contents

Introduction to the Foundations in Privacy Toolkit

View introduction


View definitions


Business Associates

  • Policy: Disclosing Information to Business Associates (.pdf) (.docx)
  • Flowchart: How to Identify a “Business Associate” (.pdf)
  • Checklist: Business Associate Agreement Checklist – Required and Optional Terms (.pdf) (.docx)
  • Template Agreement: Business Associate Agreement (.pdf) (.docx)
  • Template Agreement: Subcontractor Business Associate Agreement (.pdf) (.docx)

Data Use Agreements

Emergency Situations

  • Policy: Disclosing Information in a Medical Emergency (.pdf) (.docx)


  • Policy: Use and Disclosure of PHI for Fundraising (.pdf) (.docx)

Health Care Operations

  • Policy: Using and Disclosing Information for Health Care Operations (.pdf) (.docx)

HIPAA Authorization

  • Policy: Authorization for Use and Disclosure of PHI (.pdf) (.docx)

Judicial and Administrative Proceedings

  • Policy: Disclosures for Judicial and Administrative Proceedings (.pdf) (.docx)


  • Policy: Use and Disclosure of PHI for Marketing (.pdf) (.docx)

Mental Health Records

  • Policy: Using and Disclosing Mental Health Records (.pdf) (.docx)
  • Flowchart: Are the Notes “Psychotherapy Notes” Under HIPAA? (.pdf)

Minimum Necessary Standard

  • Policy: Minimum Necessary for Requests for, or Uses or Disclosures of, PHI (.pdf) (.docx)

Minnesota Government Data Practices Act

  • Policy Overlay: Additional Requirements Under the Minnesota Government Data Practices Act (.pdf) (.docx)

Minnesota Law

  • Policy: Consent to Disclose Health Information Under Minnesota Law (.pdf) (.docx)

Out-of-State Providers

  • Policy: Exchanging Information with Out-of-State Providers (.pdf) (.docx)


  • Policy: Using and Disclosing Information for Payment Purposes (.pdf) (.docx)


  • Policy: Use and Disclosure of PHI for Research Purposes (.pdf) (.docx)

Substance Use Disorder Records

  • Policy: Disclosures of Substance Use Disorder Patient Records (.pdf) (.docx)
  • Flowchart: Confidentiality of Substance Use Disorder Patient Records - Am I Subject to 42 CFR Part 2? (.pdf)

Developed in partnership with