Free Word download • Edit online • Save & share with Drive • Export to PDF
A Medical Code of Ethics is a formal binding document that defines the ethical principles, professional obligations, and conduct standards governing physicians, nurses, and clinical staff within a healthcare organization or practice. It codifies the foundational bioethics principles — beneficence, non-maleficence, patient autonomy, and distributive justice — and translates them into enforceable organizational rules covering patient rights, informed consent, confidentiality, conflict of interest, professional boundaries, duty to report, and disciplinary procedures. Unlike a general employee code of conduct, a medical code of ethics is anchored in clinical practice and must align with the standards of the applicable licensing body — the AMA in the United States, provincial Colleges in Canada, the GMC in the United Kingdom, and national medical associations across EU member states.
Without a written and signed Medical Code of Ethics, a healthcare organization has no enforceable framework for addressing the conduct issues most likely to cause patient harm, trigger licensing-board investigations, or create regulatory liability. A clinician who violates a patient's privacy, crosses professional boundaries, or fails to disclose a financial conflict has done so within a policy vacuum — leaving the organization unable to take disciplinary action with a defensible record. Accreditation bodies including the Joint Commission require formal ethics policies as a condition of accreditation, and their absence during a survey can result in conditional status or loss of accreditation entirely. Mandatory licensing-board reporting obligations for sexual boundary violations and patient harm apply regardless of whether the organization has a policy — but without one, the internal investigation process is improvised, legally exposed, and easily challenged. This template gives clinical organizations a structured, jurisdiction-aware starting point that covers every material ethics obligation, closes the contractor and locum coverage gap, and creates the documented acknowledgment record that regulators, accreditors, and courts expect to see.
| If your situation is… | Use this template |
|---|---|
| Establishing ethics standards for a full hospital or health system | Hospital Code of Ethics |
| Setting conduct expectations for nursing staff specifically | Nursing Code of Ethics Policy |
| Documenting patient rights in a standalone policy | Patient Rights and Responsibilities Policy |
| Governing ethics for research involving human subjects | Research Ethics Policy |
| Addressing ethics obligations for mental health practitioners | Mental Health Professional Code of Ethics |
| Establishing a general professional code of ethics for non-medical staff | Code of Ethics and Business Conduct |
| Documenting HIPAA-specific privacy and confidentiality obligations | HIPAA Privacy Policy |
Why it matters: HIPAA applies only to US covered entities and their business associates. A Canadian clinic that cites HIPAA instead of PIPEDA or a provincial health information act creates a compliance document that references no enforceable legal standard.
Fix: Identify the applicable privacy statute for each jurisdiction in which the organization operates and reference it explicitly in the confidentiality clause.
Why it matters: Most jurisdictions require organizations to report specific categories of misconduct — sexual boundary violations, substance impairment, patient harm — to the licensing authority regardless of internal resolution. Failing to include these triggers means the organization's disciplinary process silently non-complies.
Fix: List the specific reportable events and the applicable licensing body (state medical board, provincial College, GMC, etc.) in the disciplinary section, and confirm the list with a healthcare attorney.
Why it matters: A patient's signature on a standard form demonstrates consent was sought, not that it was informed. Courts and regulators examine whether the required disclosures were actually made and understood — a bare signature without supporting documentation leaves the organization exposed.
Fix: Require clinicians to document in the chart note that the patient received specific disclosures, had opportunity to ask questions, and acknowledged understanding before signing.
Why it matters: Locum tenens physicians, agency nurses, and contracted specialists interact directly with patients but are often excluded from internal ethics policies by default. Any misconduct by an excluded contractor still creates organizational liability.
Fix: Explicitly extend the Code's obligations to all personnel providing clinical services on behalf of the organization, regardless of employment status, and require contractors to sign acknowledgment as a condition of engagement.
In plain language: Establishes the foundational principles — beneficence, non-maleficence, autonomy, justice, and fidelity — that govern all clinical and professional conduct within the organization.
[ORGANIZATION NAME] affirms the following core ethical principles as binding obligations for all clinical and administrative personnel: (1) Beneficence — act always in the patient's best interest; (2) Non-Maleficence — avoid actions likely to cause harm; (3) Autonomy — respect the patient's right to make informed decisions; (4) Justice — provide equitable care regardless of [PROTECTED CHARACTERISTICS]; (5) Fidelity — honor commitments made to patients and colleagues.
Common mistake: Listing principles without defining how they apply to day-to-day decisions. Abstract statements with no operational context give clinicians no guidance when principles conflict — for example, when a patient's autonomy conflicts with a clinician's judgment about harm.
In plain language: Defines patients' rights to respectful treatment, privacy, access to their medical information, and freedom from discrimination, and places obligations on staff to uphold these rights at every interaction.
All patients of [ORGANIZATION NAME] have the right to: (a) receive care that respects their dignity, culture, and personal values; (b) access their medical records within [X] business days of request; (c) receive care without discrimination based on [PROTECTED CHARACTERISTICS]; (d) receive a timely response to complaints through the process described in Section [X].
Common mistake: Omitting a complaint-response timeline. Without a defined window — typically 5–10 business days for acknowledgment — the rights provision becomes unenforceable and fails Joint Commission or CQC accreditation standards.
In plain language: Obligates staff to protect patient health information from unauthorized disclosure, defines permitted uses and disclosures, and cross-references applicable privacy law.
All personnel shall maintain strict confidentiality of patient health information ('PHI') in accordance with [HIPAA / PIPEDA / GDPR / APPLICABLE LAW]. PHI may be disclosed only for: (a) treatment, payment, or healthcare operations; (b) purposes required by law; or (c) with the patient's written authorization. Unauthorized disclosure shall constitute a material breach of this Code subject to the disciplinary procedures in Section [X].
Common mistake: Referencing HIPAA by name without confirming it applies. HIPAA applies only to covered entities and their business associates — clinics operating outside the US, or entities that are not covered entities, need to cite their applicable jurisdiction-specific statute instead.
In plain language: Requires clinicians to obtain documented, voluntary patient consent before any treatment, procedure, or research participation — including the specific information that must be disclosed and the process for documenting consent.
Prior to any non-emergency treatment or procedure, the treating clinician shall provide the patient with: (a) a plain-language description of the proposed intervention; (b) material risks and expected benefits; (c) available alternatives including no treatment; (d) opportunity to ask questions. Consent shall be documented in the patient's medical record using [ORGANIZATION NAME]'s standard consent form.
Common mistake: Treating a signed consent form as equivalent to informed consent. Courts have found that a signature is evidence of consent, not proof of it — the documentation must also show the patient received and understood the required disclosures.
In plain language: Requires clinical and administrative staff to disclose any financial, personal, or professional relationship that could bias patient care decisions, and establishes the process for managing or recusing from conflicted situations.
All personnel shall disclose to [ORGANIZATION NAME]'s Ethics Officer any actual or potential conflict of interest, including: (a) financial relationships with pharmaceutical or device manufacturers; (b) ownership interests in referral entities; (c) personal relationships with patients. Disclosures shall be made within [X] days of the conflict arising using Form [XX]. Undisclosed conflicts shall be subject to disciplinary action under Section [X].
Common mistake: Failing to address physician self-referral explicitly. The Stark Law in the US and analogous anti-kickback statutes in Canada and the UK impose civil penalties for undisclosed financial relationships with referral entities — a clause that omits this creates significant regulatory exposure.
In plain language: Prohibits personal, sexual, or financial relationships between clinical staff and current patients, and establishes minimum waiting periods and procedures for relationships with former patients.
No clinical staff member shall engage in a romantic, sexual, or personal financial relationship with a current patient. Relationships with former patients are prohibited for a minimum period of [24] months following the termination of the clinical relationship and require prior written disclosure to the Ethics Officer. Violations shall be deemed a serious breach subject to immediate investigation under Section [X].
Common mistake: Setting no minimum waiting period for relationships with former patients or leaving it as 'a reasonable time.' Licensing boards in most jurisdictions specify minimum periods — commonly 2 years for physicians and indefinitely for psychotherapists — and a vague standard exposes both the clinician and the organization.
In plain language: Obligates staff to report impaired colleagues, suspected patient abuse, safety incidents, and ethics violations through defined channels, and guarantees protection from retaliation for good-faith reports.
All personnel are obligated to report: (a) suspected patient abuse or neglect to [DESIGNATED AUTHORITY] within [X] hours; (b) a colleague believed to be impaired by substance use or mental illness that poses patient risk; (c) any observed violation of this Code. Reports may be made to the Ethics Officer at [CONTACT] or through the anonymous hotline at [NUMBER]. No personnel shall be subject to retaliation for a good-faith report.
Common mistake: Omitting the anonymous reporting channel. Staff who fear retaliation from supervisors will not use a reporting process that requires identification — and a Code that produces no reports is a compliance document only, not a functioning ethics system.
In plain language: Establishes the requirement for Institutional Review Board (IRB) or equivalent ethics committee approval before any research involving patients, and prohibits coercion or undue inducement of research subjects.
No clinical research involving patients or their data shall be conducted at [ORGANIZATION NAME] without prior written approval of an accredited IRB or equivalent ethics committee. Participation in research shall be entirely voluntary, with no penalty for refusal. All research personnel shall comply with the [COMMON RULE / DECLARATION OF HELSINKI / APPLICABLE FRAMEWORK] in all aspects of study design, recruitment, and reporting.
Common mistake: Assuming IRB approval covers ongoing obligations. IRB approval is a threshold requirement — researchers must also file annual continuing review reports, submit amendments for protocol changes, and report adverse events, or approval lapses and the research becomes non-compliant.
In plain language: Prohibits the sharing of identifiable patient information on social media or in public communications, and sets standards for how clinical staff may represent the organization externally.
Personnel shall not post, share, or comment on identifiable patient information on any social media platform, public forum, or external communication channel. Commentary on clinical cases in any public venue — including anonymized cases — requires prior written approval from [ORGANIZATION NAME]'s Communications Officer. Violations may constitute a HIPAA breach and shall trigger the disciplinary process in Section [X].
Common mistake: Relying on personal-use carve-outs without limiting them. Staff who post 'personal opinions, not the organization's views' disclosures still create HIPAA and reputational liability when they discuss patient cases — the disclaimer does not insulate the organization.
In plain language: Defines the investigation process for alleged ethics violations, the range of sanctions available (from written warning to termination and license-board referral), and the appeal rights of the accused party.
Upon receipt of a complaint or report of a potential violation, the Ethics Officer shall: (a) acknowledge receipt within [5] business days; (b) complete a preliminary review within [20] business days; (c) refer substantiated complaints to the [ETHICS COMMITTEE / DISCIPLINARY PANEL]. Sanctions may include: written warning, suspension of clinical privileges, mandatory training, termination, or referral to the applicable licensing board. The subject of any complaint has the right to respond in writing within [10] business days of receiving the preliminary findings.
Common mistake: Publishing a disciplinary process that mirrors the organization's general HR process without accounting for mandatory licensing-board reporting obligations. In most jurisdictions, certain categories of misconduct — sexual boundary violations, patient harm, substance impairment — must be reported to the licensing authority regardless of internal resolution.
Enter the full legal name of the healthcare organization, the types of personnel covered (physicians, nurses, allied health, administrative staff), and the facilities or service lines to which the Code applies.
💡 Define scope broadly enough to include contractors, locum tenens physicians, and volunteers — excluded categories become enforcement gaps.
Replace the [APPLICABLE LAW] placeholder in the confidentiality clause with the correct statute: HIPAA for US covered entities, PIPEDA or provincial health privacy acts for Canadian organizations, the Data Protection Act 2018 for UK practices, or GDPR for EU clinics.
💡 If your organization operates across more than one jurisdiction, list all applicable statutes and note which takes precedence when they conflict.
Replace all bracketed time references — complaint acknowledgment windows, conflict disclosure deadlines, post-relationship waiting periods — with specific numbers that meet or exceed the minimums required by your applicable licensing board or accreditor.
💡 Joint Commission standards require complaint acknowledgment within 7 days and resolution within 30 days — use these as your floor if you are or intend to be accredited.
Designate a specific role — not a named individual — as Ethics Officer, and provide the contact information and anonymous hotline number for reporting ethics concerns.
💡 Using a role title rather than a person's name means the document does not need to be amended every time the position changes hands.
If your organization refers patients to external entities — labs, imaging centers, specialist practices — explicitly address the Stark Law (US), anti-kickback provisions (CA/UK), or equivalent local rules. Add a disclosure form reference appropriate to your referral volume.
💡 For physician-owned practices with in-office ancillaries, have a healthcare attorney review the conflict section before execution — Stark violations carry civil monetary penalties starting at $15,000 per transaction.
Align the Code's investigation timelines, appeal rights, and sanction categories with your existing employment agreements and HR handbook to avoid conflicting obligations. Confirm that the mandatory licensing-board reporting triggers are complete for your jurisdiction.
💡 Where your employment contract and the Code specify different processes for the same conduct, the Code should expressly prevail for clinical ethics matters to prevent staff from claiming the lighter HR standard applies.
Have every covered staff member sign and date the Code before their first patient encounter. For existing staff adopting a new Code, obtain fresh signatures and document the effective date of the updated version.
💡 Store executed copies in personnel files and in the credentialing record — accreditors and licensing boards may request evidence of signed acknowledgment during surveys.
Set a calendar reminder to review and re-execute the Code annually or whenever applicable law changes — HIPAA enforcement guidance, FTC rulings on non-compete, or updated GMC or provincial College standards can all require amendments.
💡 Pair the annual Code review with your HIPAA risk assessment and compliance training calendar so all three move on the same cycle.
A medical code of ethics is a formal document that defines the ethical principles, professional obligations, and conduct standards binding on physicians, nurses, and clinical staff within a healthcare organization or practice. It covers patient rights, confidentiality, informed consent, conflict of interest, professional boundaries, and disciplinary procedures. Unlike general codes of conduct, a medical code of ethics is grounded in clinical bioethics principles — beneficence, non-maleficence, autonomy, and justice — and must align with applicable healthcare law and licensing board requirements.
In the US, federal law does not mandate a written medical code of ethics for all providers, but Joint Commission accreditation standards require hospitals to have a formal ethics policy in place. Many state licensing boards reference the AMA Code of Medical Ethics as the applicable standard for physician conduct, making its provisions effectively binding by regulatory reference. In the UK, the GMC's Good Medical Practice framework is legally enforceable through fitness-to-practise proceedings. Canadian provincial Colleges impose similar requirements. EU member states vary, but most national medical associations publish binding ethics codes as a condition of licensure.
Every individual who provides clinical services within the organization should sign the Code before their first patient encounter — including full-time physicians, part-time and per diem clinical staff, nurses, allied health professionals, and contracted or locum practitioners. Administrative staff with access to patient health information should also sign. Requiring signatures from contractors, not just employees, closes the most common enforcement gap in healthcare ethics programs.
A general code of conduct covers workplace behavior, anti-harassment, conflicts of interest, and business ethics across all staff roles. A medical code of ethics adds clinical-specific obligations — informed consent, professional boundaries with patients, duty to report impaired colleagues, human subjects research protections, and alignment with bioethics principles — that have no equivalent in non-clinical settings. Healthcare organizations typically need both: a general code of conduct for all employees and a medical code of ethics for clinical personnel.
HIPAA establishes the legal minimum standards for protecting patient health information in the United States. A medical code of ethics incorporates and reinforces HIPAA obligations at the organizational level, adds conduct standards that go beyond HIPAA's minimum requirements, and creates disciplinary consequences for violations. HIPAA applies only to US covered entities — Canadian, UK, and EU healthcare organizations must reference their applicable statutes (PIPEDA, the Data Protection Act 2018, or GDPR) in the confidentiality provisions instead.
A medical practice may create its own code, and doing so is generally preferable because it can be tailored to the practice's specialty, patient population, size, and applicable licensing requirements. The AMA Code of Medical Ethics is the authoritative reference document for US physicians and should be consulted to ensure your organizational code does not conflict with it, but most practices adopt and adapt a custom code rather than republishing the AMA code verbatim. In the UK, GMC Good Medical Practice is the binding framework; organizational codes supplement rather than replace it.
Consequences depend on the nature and severity of the violation. The organization's disciplinary process typically begins with a preliminary investigation, followed by a range of sanctions from written warning and mandatory training to suspension of clinical privileges or termination. Certain violations — sexual boundary violations, patient harm, substance impairment — must also be reported to the applicable licensing board, which can impose its own sanctions including suspension or revocation of the medical license. Criminal conduct must be reported to law enforcement regardless of the internal process.
At a minimum, the Code should be reviewed annually and whenever applicable law or licensing board standards change. Key triggers for an unscheduled review include changes to HIPAA enforcement guidance, new state or provincial billing or referral regulations, updates to GMC or provincial College conduct standards, or a significant internal ethics incident. All clinical staff should re-sign the updated version when material changes are made, and the prior version should be retained for at least 7 years.
Telehealth providers are subject to the same ethical obligations as in-person providers — patient rights, informed consent, confidentiality, and professional boundaries apply equally in a remote care setting. However, the Code should address telehealth-specific issues: confirming patient location to determine which jurisdiction's law applies, obtaining consent for recording, managing cross-state prescribing obligations, and ensuring secure communication platforms are used. A single Code covering both in-person and telehealth encounters is acceptable if it addresses these modality-specific points explicitly.
A general code of ethics and business conduct covers workplace behavior, anti-corruption, conflicts of interest, and confidentiality for all employees across industries. A medical code of ethics adds clinical-specific obligations — informed consent, professional boundaries with patients, duty to report impaired colleagues, and bioethics principles — that are required by healthcare licensing boards and accreditors. Healthcare organizations typically need both documents operating in parallel.
A HIPAA Privacy Policy documents the organization's compliance with the HIPAA Privacy Rule — the technical and administrative safeguards for protected health information. A medical code of ethics is broader: it covers the full range of ethical obligations in clinical practice, of which patient privacy is one component. The Privacy Policy is a compliance document; the Code of Ethics is a professional conduct standard. US healthcare organizations need both.
An employee handbook covers general employment policies — leave, compensation, performance management, and workplace behavior — that apply to all staff. A medical code of ethics governs clinical conduct specifically and carries licensing-board consequences that go beyond employment termination. The handbook is an HR document; the Code is a professional obligations document. Clinical staff should receive and sign both.
An NDA is a bilateral or unilateral contract that prohibits specific parties from disclosing defined confidential information, typically in a business or employment context. A medical code of ethics establishes a comprehensive framework of ethical and legal obligations — of which confidentiality is one element — for all clinical personnel. The confidentiality clause in a Code of Ethics does not replace an NDA where one is required; they serve different purposes and operate in different legal contexts.
High patient volume and longitudinal relationships make professional boundary and continuity-of-care provisions especially important, along with clear duty-to-report obligations for suspected domestic abuse.
Psychotherapy creates heightened professional boundary risks — most licensing boards impose indefinite prohibitions on relationships with former therapy patients, which the Code must reflect explicitly.
Joint Commission and DNV accreditation require a formal ethics policy; multi-specialty environments demand clear conflict-of-interest and clinical privilege provisions covering employed and independent medical staff alike.
Cross-state licensure, asynchronous care models, and AI-assisted diagnostics create novel informed consent and conflict-of-interest issues that standard practice-based codes do not address without modification.
The AMA Code of Medical Ethics is the authoritative reference for physician conduct and is incorporated by reference into many state licensing board regulations. HIPAA governs patient health information for covered entities. The Stark Law and Anti-Kickback Statute impose strict disclosure and prohibition requirements for financial relationships with referral entities. Non-compete clauses for physicians are restricted or banned in California, Minnesota, and an increasing number of states — review local law before including them.
Each provincial College of Physicians and Surgeons publishes binding practice standards that a medical code of ethics must align with — the CMA Code of Ethics and Professionalism provides national guidance but provincial Colleges are the enforceable authority. Patient privacy is governed by PIPEDA federally and provincial health information acts (e.g., PHIPA in Ontario, HIA in Alberta) — organizations should cite the applicable provincial statute in confidentiality provisions. French-language requirements apply in Quebec for documents given to patients.
GMC's Good Medical Practice is legally enforceable through fitness-to-practise proceedings and must be reflected in any organizational code of ethics. The Nursing and Midwifery Council (NMC) publishes equivalent standards for nurses and midwives. The Data Protection Act 2018 and UK GDPR govern patient data — references to HIPAA in any UK clinical document are legally irrelevant. The Care Quality Commission (CQC) requires evidence of a formal ethics and conduct policy during inspections.
GDPR applies to all patient health data processing across the EU and imposes stricter requirements for special category data (health data) than for general personal data — including data protection impact assessments and restrictions on automated processing. Each member state's national medical association or competent authority publishes ethics standards; France, Germany, and the Netherlands impose particularly detailed requirements. The EU Clinical Trials Regulation (CTR) governs research ethics for trials involving investigational medicinal products.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small to mid-size medical practices establishing a formal ethics policy for the first time | Free | 1–2 hours to customize and execute |
| Template + legal review | Practices in heavily regulated specialties, those pursuing Joint Commission accreditation, or clinics operating across multiple states or provinces | $500–$1,500 for a healthcare attorney review | 3–7 days |
| Custom drafted | Hospital systems, multi-specialty groups, telehealth platforms with cross-jurisdiction licensing, or organizations following a significant ethics incident or regulatory investigation | $3,000–$10,000+ | 2–6 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Free Forever Plan · No credit card required
