AMC/HIPAA Workgroup 189 Section Five: Administrative requirements

AMC/HIPAA Workgroup

189

Section Five: Administrative requirements

Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau creative-lizzy Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich

tableofcontents.htm start.htm securitysectiontwo.htm securitysectionthree.htm securitysectionone.htm securitycategories.htm references.htm privacysectiontwo.htm privacysectionthree.htm privacysectionone.htm privacysectionfour.htm privacysectionfive.htm privacycategories.htm jobdescriptions.htm introduction.htm index.htm hipaatrifold.htm hipaasuppliment.htm hipaaresources.htm hipaaexecsummary.htm guidelinesorganization.htm generalpolicyguidelines.htm generalcategories.htm definitions.htm contractsandpolicies.htm contact.htm amchipaasecurityandprivacyguidelines.htm acronyms.htm acknowledgements.htm

Page 2

AMC/HIPAA Workgroup

190

PRIV.48 Privacy

Official

§ 164.530(a)(1)(i)

HIPAA Requirement

Standard: Personnel designation

A covered entity must designate a privacy official who is responsible for the

development and implementation of the policies and procedures of the entity...

...(2) Implementation specification:

A covered entity must document the personnel designations in paragraph (a)(1) of

this section as required by paragraph (j) of this section.

AMC Explanation of HIPAA Regulation

The regulation requires the covered entity to appoint an individual to be accountable for the

development and implementation of privacy policies and procedures. It also requires that this

designation be documented.

Key Issues

What are the job responsibilities of the Privacy Official? Is the authority they have been

given commensurate with the role?

How will the Privacy Official's duties and resources integrate with related functions in

the covered entity?

What skills and knowledge base does this position require?

Will the privacy responsibilities be added to an existing position, or is this a new FTE?

What portion of an FTE should be allocated to this position, and how will requirements

change over time as the planning phase is supplanted by a long-term operational and

maintenance role?

What will be the relationship between the Information Security Officer and the Privacy

Official?

To whom will this position report within the covered entity?

Will the Privacy Official also be the contact person for complaints?

Will a separate Privacy Official be required for each covered entity's subsidiaries?

Category I Guidelines-Actions must be taken to address these

Select a single individual to serve as the privacy official for each covered entity.

Designate one privacy official for covered entities that consist of several subsidiaries

pursuant to § 164.504(b).

Maintain a written or electronic record of privacy official designation(s)

Category II Guidelines-Actions should be taken to address these

Create a job description for the privacy official defining the position's role,

responsibilities, and reporting relationship(s).

The privacy official:

Should work with a committee representing several different components of the

covered entity to develop and implement the privacy policy; and

Page 3

AMC/HIPAA Workgroup

191

Should have a position on the institution's HIPAA Oversight Board.

Roadblocks

In most AMCs, many departments and individuals currently have the ability to draft and

implement policies on the use of protected health information. It might be difficult to get all

faculty and staff, across all health system entities, to follow the recommendations of the privacy

official.

If a covered entity has multiple privacy officials (its subsidiaries are each considered a "covered

entity" pursuant to § 164.504(b)), and the entity wishes to standardize privacy matters, it will

take a well-coordinated communication effort. From a marketing and customer service

standpoint, it may also be important for the covered entity to have a seamless approach to

privacy matters.

Comments

Not every covered entity will need to allocate a new position for the Privacy Official. Small

providers may wish to delegate these responsibilities to an existing employee, while large entities

may create a full-time position. How a covered entity chooses to designate the covered entities

under § 164.504(b) is key to deciding how many privacy officials to designate.

AMCs will likely have multiple people with security or privacy responsibilities. Consider how

the privacy official's work will be interdependent with those in supporting roles.

The role of Privacy Official will transition from one of program definition and development to

one of operational support and maintenance over a period of two to three years. If thoughtfully

and faithfully established, the role will fulfill requirements through functional reporting

relationships. The Privacy Official's authority and influence are critical; they must be adequate

to the task.

Page 4

AMC/HIPAA Workgroup

192

PRIV.49

Privacy Contact Person or Office

§ 164.530(a)(1)(ii)

HIPAA Requirement

Standard: Personnel designation...

...A covered entity must designate a contact person or office who is responsible

for receiving complaints under this section and who is able to provide further

information about matters covered by the notice required by

§ 164.520

(2) Implementation specification:

A covered entity must document the personnel designations in paragraph (a)(1) of

this section as required by paragraph (j) of this section.

AMC Explanation of HIPAA Regulation

Each covered entity must designate a contact person or office responsible for receiving

complaints under the Privacy Standards and who can provide further information about the

covered entity's Privacy Notice. The designation must be documented, and a contact name must

be listed on the covered entity's Privacy Notice.

Key Issues

What are the job responsibilities of the contact person or office? What is the scope of the

position's authority within the covered entity?

What skills and knowledge base does this position require?

Will the privacy responsibilities be added to an existing position, or should a new

position be created?

What portion of a FTE should be allocated to this position?

What will be the relationship between the Information Security Officer, the Privacy

Official, and the contact person/office?

To whom will this position report to within the covered entity?

Will the Privacy Official also be the contact person for complaints? Will information be

consistently handled if the Privacy Official and contact person are not the same? Will

questions and incidents be consistently documented if the Privacy Official and the contact

person are not the same?

Is the mechanism for handling complaints a pre-existing mechanism, an adaptation of a

current system, or a new process?

Will the contact have access to management so that the right individual will hear

complaints with foundation?

Will a separate privacy contact be required for each of the covered entity's subsidiaries?

Category I Guidelines-Actions must be taken to address these

Designate an individual or an office to receive complaints and provide information about

matters covered by the covered entity's Notice of Privacy Practices (§ 164.520).

Add the contact information to the covered entity's Notice of Privacy Practices.

Maintain a written or electronic record of this personnel designation.

Page 5

AMC/HIPAA Workgroup

193

Category II Guidelines-Actions should be taken to address these

Establish a reporting structure and process to involve persons with appropriate authority

to investigate and track complaints.

Ensure that the process of responding to complaints is done in a way that is consistent

with good public relations practices as well as good privacy policy.

Consider adding the reporting responsibility to an existing function or office.

Roadblocks

If a covered entity has multiple privacy contacts (its subsidiaries are each considered a "covered

entity" pursuant to § 164.504(b)), and it wishes to standardize privacy matters, doing so will

require a well coordinated communication effort. Having a seamless approach to privacy matters

may be important for the covered entity from a marketing and customer service standpoint.

Provision of the appropriate level of authority to handle complaints will require a difficult to

achieve complex of relations among several units in an AMC (e.g., Risk Management,

Compliance Office, Communications, Counsel).

Comments

Not every covered entity will need to allocate a new position for the contact person. Smaller

providers may wish to delegate the responsibilities to an existing workforce member while larger

entities may create a full-time position. Depending on the size and nature of the covered entity,

the Privacy Officer could share this position.

Handling complaints from the public will likely require a specialized process.

References: § 164.512, Content of Notice and § 164.530(e), Sanctions.

Page 6

AMC/HIPAA Workgroup

194

PRIV.50

Training on Privacy

§ 164.530(b)(1)

HIPAA Requirement

Standard: training. A covered entity must train all members of its workforce to

carry out their function within the covered entity.

(2) Implementation specifications: training. (i) A covered entity must provide

training that meets the requirements of paragraph (b)(1) of this section, as

follows:

(A) To each member of the covered entity's workforce by no later than the

compliance date for the covered entity;

(B) Thereafter, to each new member of the workforce within a reasonable period

of time after the person joins the covered entity's workforce; and

(C) To each member of the covered entity's workforce whose functions are

affected by a material change in the policies or procedures required by this

subpart, within a reasonable period of time after the material change becomes

effective in accordance with paragraph (i) of this section.

(ii) A covered entity must document that the training as described in paragraph

(b)(2)(i) of this section has been provided, as required by paragraph (j) of this

section.

AMC Explanation of HIPAA Regulation

The regulation requires training of all members of the covered entity's workforce in the covered

entity's policies and procedures with respect to protected health information. This includes

initial training at the time that the rule becomes applicable, with subsequent training of new

workforce members, and retraining as policy and/or procedure changes occur. All members of

the workforce must be trained, including employees, volunteers, trainees, and any others.

Finally, paragraph (j) requires that documentation of the training be kept in written or electronic

form for six years.

Key Issues

What are the criteria for judging training efficacy?

How can one determine the adequacy of effort by entities?

Category I Guidelines-Actions must be taken to address these

Train workforce members on privacy policy and procedure prior to the effective date of

the privacy regulations.

Thereafter, train new workforce members reasonably soon after they join the covered

entity.

When significant changes in policy and/or procedure occur, train the affected workforce

members as soon as possible after such changes.

Document the training in written or electronic form and retain the records for at least six

years.

Page 7

AMC/HIPAA Workgroup

195

Category II Guidelines-Actions should be taken to address these

Consider providing forms of training that help the trainee relate the policy to how they

are to behave in their working environment.

Consider including training on how to report a privacy problem.

Consider "refresher" courses and periodic reminders for workforce members about

Consider competency tests to evaluate training effectiveness.

Roadblocks

No roadblocks specific to this point.

Comments

None.

Page 8

AMC/HIPAA Workgroup

196

PRIV.51 Safeguards

§ 164.530(c)(1)

HIPAA Requirement

Standard: safeguards. A covered entity must have in place appropriate

administrative, technical, and physical safeguards to protect the privacy of

protected health information.

(2) Implementation specification: safeguards. A covered entity must reasonably

safeguard protected health information from any intentional or unintentional use

or disclosure that is in violation of the standards, implementation specifications

or other requirements of this subpart.

AMC Explanation of HIPAA Regulation

A covered entity must establish administrative, technical, and physical safeguards to protect

protected health information from unauthorized access or use. These safeguards must be

appropriate and reasonable.

A group health plan is excepted from coverage by § 164.530(c) in circumstances where it gets

limited amounts of protected health information under conditions described in § 164.530(k).

Key Issues

How should a covered entity handle the determination of what is reasonable and

appropriate?

Is implementing the (proposed) Security regulations an adequate way to address this

point in the privacy regulations?

Category I Guidelines-Actions must be taken to address these

A covered entity must establish administrative, technical, and physical safeguards to

protect the privacy of protected health information from unauthorized use or disclosure.

These safeguards must be appropriate and reasonable.

Category II Guidelines-Actions should be taken to address these

Engage in a risk analysis (as the proposed Security regulations require) and create and

implement a risk management plan for both electronic and non-electronic information

assets.

Have the privacy official consult on safeguard requirements with the security officer and

others responsible for information practices.

Ensure that security and privacy officials have the authority necessary to implement

effective safeguards.

Have the privacy official create a list of reasonably anticipated threats and hazards to

privacy of protected health information and unauthorized uses or disclosures.

Be aware that many areas of section (g) address specific parts of the safeguards (training,

complaints, sanctions, etc.) and consult those sections for details.

Page 9

AMC/HIPAA Workgroup

197

Roadblocks

No roadblocks specific to this point.

Comments

This is an overarching requirement making the covered entity responsible for reasonable privacy

safeguards. The Security regulations and other aspects of the Privacy regulations provide some

of the specifics of what safeguarding entails. Unfortunately, the fact that the final security

regulations have not yet been issued makes it less clear to what safeguard standard the entity will

be held.

Page 10

AMC/HIPAA Workgroup

198

PRIV.52

Complaints to the covered entity

§ 164.530(d)(1)

HIPAA Requirement

Standard: Complaints to the covered entity. A covered entity must provide a

process for individuals to make complaints concerning the covered entity's

policies and procedures required by this subpart or its compliance with such

policies and procedures or the requirements of this subpart.

(2) Implementation specification: Documentation of complaints. As required by

paragraph (j) of this section, a covered entity must document all complaints

received, and their disposition, if any.

AMC Explanation of HIPAA Regulation

Covered entities must have a process for receiving and documenting complaints concerning their

privacy policies and procedures. Documentation must note referrals for action, if any.

Key Issues

How will entities publicize complaint procedures to staff and others?

What is the most efficient way to handle complaints-one person or several?

Should a timeframe for handling complaints exist?

Who should be allowed to access complaint information?

Who will investigate and resolve complaints and to whom will this person report

resolution status?

How will this information be maintained, stored, and retrieved? Is there an existing

information system that can be used for complaint maintenance?

How can entities use complaints to evaluate, improve, or change policies and practices?

Will entities use existing complaint processes for information privacy complaints or

develop a different process?

Should this policy be coordinated with the covered entity's Patient Rights policy?

Category I Guidelines-Actions must be taken to address these

Identify a contact person or office to receive complaints about policies and procedures

and compliance with them.

Maintain a record of complaints and brief explanations of their resolution.

Category II Guidelines-Actions should be taken to address these

Determine whether the person or office identified to receive complaints will handle them

personally or triage them for handling by others.

Determine timeframes and protocols for handling and reporting complaints.

Use complaints as evaluative and improvement tools where appropriate.

Determine who will access complaint information and for what purposes.

Specify a method to track complaints.

Report periodically on resolutions of complaints.

Coordinate this requirement with the covered entity's Patient Rights policy.

Page 11

AMC/HIPAA Workgroup

199

Roadblocks

Operational units within an AMC often address patient complaints directly. Relinquishing this

practice in favor of a single person or central office may challenge cultural norms.

Comments

This is related to PRIV.49

Page 12

AMC/HIPAA Workgroup

200

PRIV.53 Sanctions

§ 164.530(e)(1)

HIPAA Requirement

Standard: sanctions. A covered entity must have and apply appropriate sanctions

against members of its workforce who fail to comply with the privacy policies and

procedures of the covered entity or the requirements of this subpart. This

standard does not apply to a member of the covered entity's workforce with

respect to actions that are covered by and that meet the conditions of

§ 164.502(j)

or paragraph (g)(2) of this section.

(2) Implementation specification: documentation. As required by paragraph (j) of

this section, a covered entity must document the sanctions that are applied, if any.

AMC Explanation of HIPAA Regulation

A covered entity must apply and document corrective and disciplinary action when a member of

its workforce fails to comply with the covered entity's policies and procedures related to this

rule.

Key Issues

What sanctions will be applied and when? What gradation will be used?

Who reviews instances of noncompliance and recommends sanctions?

Who is responsible for applying sanctions?

Should physicians have different sanctions?

Category I Guidelines-Actions must be taken to address these

Develop sanctions against workforce members who fail to comply with the covered

entity's privacy policy.

Charge an individual or group to review policy and procedural violations and specify

corrective and/or disciplinary action.

Apply disciplinary action as necessary and appropriate.

Document corrective and disciplinary action taken.

Category II Guidelines-Actions should be taken to address these

Make sanctions progressive and commensurate with the severity, frequency, and intent of

violations.

Apply sanctions equitably without regard to an offender's role or position within the

covered entity.

Include termination of employment or contract relationship and/or criminal prosecution

as possible sanctions.

Include provision for sanctions in contract and labor agreements.

Coordinate sanctions with the covered entity's human resources department.

Consider establishing progressive sanctions, such as verbal warning, written warning, up

to termination, and determine when progressive sanctions are appropriate.

Make workforce members aware of the sanction procedures.

Page 13

AMC/HIPAA Workgroup

201

Roadblocks

Different discipline standards for various personnel categories may exist.

Comments

Publicizing the use of sanctions may be an effective deterrent to misbehavior. The sanctions do

not apply to whistleblower activities that meet the provisions of § 164.502(j) or complaints,

investigations, or opposition that meet the provisions of § 164.530(g)(2). Business associates are

not included under this particular requirement; requirements for business associates are listed in

§ 164.504.

Page 14

AMC/HIPAA Workgroup

202

PRIV.54 Mitigation

§ 164.530(f)

HIPAA Requirement

Standard: mitigation. A covered entity must mitigate, to the extent practicable,

any harmful effect that is known to the covered entity of a use or disclosure of

protected health information in violation of its policies and procedures or the

requirements of this subpart by the covered entity or its business associate.

AMC Explanation of HIPAA Regulation

Covered entities must take positive action to minimize known harmful effects resulting from the

unauthorized use or disclosure of protected health information, and are obligated to correct

known instances of harm. Business associates have an obligation to notify the covered entity of

any harmful effects they know about.

Key Issues

At what point does a harmful effect occur-when protected health information is

inappropriately used or disclosed, or when the inappropriate use or disclosure has a

tangible negative impact?

What reasonable steps should a covered entity should take to mitigate harmful effects?

What does "harmful effect" mean in the covered entity and how does the entity become

aware that one has occurred?

Category I Guidelines-Actions must be taken to address these

Minimize harmful effects resulting from unauthorized use or disclosure of protected

health information by:

Containing the damage and stopping further compromise; and

Informing those responsible for the policy or procedural breach to prevent future

actions that would have harmful effects.

Category II Guidelines-Actions should be taken to address these

Consider whether inappropriate use or disclosure may in itself constitute a harmful effect.

(This is a legal issue. See Comments.)

Consider notifying individuals if misuse or inappropriate disclosure of their protected

health information will likely lead to a harmful effect.

Include contract language to transfer the potential financial burden of harm to business

associates.

Roadblocks

The point at which harmful effects occur is debatable. Notifying patients of inappropriate use or

disclosure of protected health information may, at times, cause more grief and consternation than

the direct effects of compromised information.

Page 15

AMC/HIPAA Workgroup

203

Comments

The rule uses the term

harmful effect

rather than

harm

. This implies something

following

a cause

or agent, such as a compromise of information. Inappropriate use or disclosure of protected

health information may not be a harmful effect in and of itself.

Page 16

AMC/HIPAA Workgroup

204

PRIV.55

Refraining from intimidating or retaliatory acts

§ 164.530(g)

HIPAA Requirement

Standard: refraining from intimidating or retaliatory acts. A covered entity may

not intimidate, threaten, coerce, discriminate against, or take other retaliatory

action against:

(1) Individuals. Any individual for the exercise by the individual of any right

under, or for participation by the individual in any process established by this

subpart, including the filing of a complaint under this section;

(2) Individuals and others. Any individual or other person for:

(i) Filing of a complaint with the Secretary under subpart C of part 160 of this

subchapter;

(ii) Testifying, assisting, or participating in an investigation, compliance review,

proceeding, or hearing under Part C of Title XI; or

(iii) Opposing any act or practice made unlawful by this subpart, provided the

individual or person has a good faith belief that the practice opposed is unlawful,

and the manner of the opposition is reasonable and does not involve a disclosure

of protected health information in violation of this subpart.

AMC Explanation of HIPAA Regulation

Covered entities must not retaliate against persons for filing complaints, for testifying, for

participating in investigations, compliance reviews, proceedings or hearings, or for opposing real

or perceived unlawful acts or practices under this act provided the oppositions are made in good

faith.

Key Issues

Who will determine the proper response, if any?

What will the covered entity do if a workforce member does retaliate?

How can one determine whether retaliation is occurring?

Is there a monitoring or reporting issue here?

How would supervisors know if workforce members are engaged in retaliatory activities?

Category I Guidelines-Actions must be taken to address these

Establish policies and procedures that prohibit intimidation, threats, coercion,

discrimination, or retaliatory action against individuals who exercise their rights under

this act.

Category II Guidelines-Actions should be taken to address these

Communicate the non-retaliation policy through related policies and programs (e.g.

Standards of Conduct, Mutual Respect, and/or the Integrity Program).

Consider reporting mechanisms that protect complainers against retaliation (e.g.,

removing complainants' identifying information from complaint reports).

Coordinate with human resources and labor relations representatives.

Page 17

AMC/HIPAA Workgroup

205

Roadblocks

Training will be required to help workforce members to understand what is legal and illegal

under HIPAA so that they will correctly recognize illegality outside of their normal scope of

operations.

Comments

Communicating the expectations of this standard is critical.

Page 18

AMC/HIPAA Workgroup

206

PRIV.56

Waiver of rights

§ 164.530(h)

HIPAA Requirement

Standard: Waiver of rights. A covered entity may not require individuals to waive

their rights under § 160.306 of this subchapter or this subpart as a condition of

the provision of treatment, payment, enrollment in a health plan, or eligibility for

benefits.

AMC Explanation of HIPAA Regulation

A covered entity may not require individuals to waive their rights to file a complaint or their

other rights under the privacy standards as a condition of treatment, payment, enrollment in a

health plan, or eligibility for benefits. "This subpart" in the regulation text refers to § 164

Subpart E, consisting of §§ 164.500 through 164.534.

Key Issues

Should the entity ask patients to voluntarily waive their rights under this rule?

Category I Guidelines-Actions must be taken to address these

Do not require individuals to waive their rights to file a complaint or their other rights

under the privacy standards as a condition of treatment, payment, and enrollment in a

health plan or eligibility for benefits.

Category II Guidelines-Actions should be taken to address these

Consider not putting waivers of rights on consent forms.

Covered entities should not ask patients to waive their privacy rights.

Roadblocks

No roadblocks specific to this point.

Comments

This requirement ensures that covered entities do not force individuals to give up the rights they

have been provided in the privacy standards.

Page 19

AMC/HIPAA Workgroup

207

PRIV.57

Policies and procedures

§ 164.530(i)(1)

HIPAA Requirement

Standard: policies and procedures. A covered entity must implement policies and

procedures with respect to protected health information that are designed to

comply with the standards, implementation specifications, or other requirements

of this subpart. . The policies and procedures must be reasonably designed,

taking into account the size of and the type of activities that relate to protected

health information undertaken by the covered entity, to ensure such compliance.

This standard is not to be construed to permit or excuse an action that violates

any other standard, implementation specification, or other requirement of this

subpart.

AMC Explanation of HIPAA Regulation

A covered entity must create and implement its privacy-related policy and procedure set. Merely

having a policy/procedure is not adequate; the design of the policy/procedure set must take into

account the size and type of operations in the covered entity.

Key Issues

How do the size and type of operations affect the policy/procedure set that must be

implemented?

How will the covered entity determine what is reasonable in implementing

policy/procedure?

Category I Guidelines-Actions must be taken to address these

Implement a reasonable policy/procedure set given the covered entity's size and type of

operations. (Group health plans that operate as described in §164.530(k) need not

conform to this requirement.)

Category II Guidelines-Actions should be taken to address these

Formally determine how the covered entity's size and type affect its required

policy/procedure creation and implementation process.

Roadblocks

When smaller entities are absorbed by acquisition or merger into larger ones (e.g., an AMC

buying a community hospital), the policy/procedure set of the previously small covered entity

may not be adequate for its new role as part of the larger covered entity.

Comments

See GEN.06.

Page 20

AMC/HIPAA Workgroup

208

PRIV.58

Changes to policies or procedures

§ 164.530(i)(2)

HIPAA Requirement

Standard: changes to policies or procedures. (i) A covered entity must change its

policies and procedures as necessary and appropriate to comply with changes in

the law, including the standards, requirements, and implementation specifications

of this subpart;

(ii) When a covered entity changes a privacy practice that is stated in the notice

described in

§ 164.520

, and makes corresponding changes to its policies and

procedures, it may make the changes effective for protected health information

that it created or received prior to the effective date of the notice revision, if the

covered entity has, in accordance with

§ 164.520(b)(

1)(v)(C), included in the

notice a statement reserving its right to make such a change in its privacy

practices; or

(iii) A covered entity may make any other changes to policies and procedures at

any time, provided that the changes are documented and implemented in

accordance with paragraph (i)(5) of this section.

(3) Implementation specification: changes in law. Whenever there is a change in

law that necessitates a change to the covered entity's policies or procedures, the

covered entity must promptly document and implement the revised policy or

procedure. If the change in law materially affects the content of the notice

required by § 164.520, the covered entity must promptly make the appropriate

revisions to the notice in accordance with § 164.520(b)(3). Nothing in this

paragraph may be used by a covered entity to excuse a failure to comply with the

law.

(4) Implementation specifications: changes to privacy practices stated in the

notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this

section, a covered entity must:

(A) Ensure that the policy or procedure, as revised to reflect a change in the

covered entity's privacy practice as stated in its notice, complies with the

standards, requirements, and implementation specifications of this subpart;

(B) Document the policy or procedure, as revised, as required by paragraph (j) of

this section; and

(C) Revise the notice as required by § 164.520(b)(3) to state the changed practice

and make the revised notice available as required by § 164.520(c). The covered

entity may not implement a change to a policy or procedure prior to the effective

date of the revised notice.

(ii) If a covered entity has not reserved its right under § 164.520(b)(1)(v)(C) to

change a privacy practice that is stated in the notice, the covered entity is bound

by the privacy practices as stated in the notice with respect to protected health

information created or received while such notice is in effect. A covered entity

may change a privacy practice that is stated in the notice, and the related policies

and procedures, without having reserved the right to do so, provided that:

(A) Such change meets the implementation the requirements in paragraphs

(i)(4)(i)(A)-(C) of this section; and

Page 21

AMC/HIPAA Workgroup

209

(B) Such change is effective only with respect to protected health information

created or received after the effective date of the notice.

(5) Implementation specification: changes to other policies or procedures. A

covered entity may change, at any time, a policy or procedure that does not

materially affect the content of the notice required by § 164.520, provided that:

(i) The policy or procedure, as revised, complies with the standards,

requirements, and implementation specifications of this subpart; and

(ii) Prior to the effective date of the change, the policy or procedure, as revised, is

documented as required by paragraph (j) of this section.

AMC Explanation of HIPAA Regulation

When a change in law affects a covered entity's privacy policy, the policy must change to

accommodate the change in law. If the covered entity reserved the right to change its privacy

policies and procedures in its privacy notice, it may apply the new standards to protected health

information acquired before the change. If it did not, it must continue to apply the old standard

to that information. Entities must maintain documentation of their policies and procedures. Note

that group health plans are excepted from this requirement (§ 164.530(i)) if they handle little

protected health information as described in § 164.530(k).

Key Issues

What are the implications on operations of not reserving the right to change policy in the

privacy notice, changing it, and then having prior protected health information governed

by the old notice and new governed by the new notice?

How will the covered entity determine what is reasonable in implementing

policy/procedure change?

Category I Guidelines-Actions must be taken to address these

Change policies and procedures when changes to law or regulations require it.

If the privacy notice provides for changes, change it when policies that affect it change.

The new notice will either cover all protected health information, or only new

information, depending on whether the prior notice reserved the right to change.

Document the policy and procedure change process, either in writing or electronically.

Category II Guidelines-Actions should be taken to address these

Consider reserving the right to change privacy policy in the privacy notice.

Consider the logistics and communications issues of changes when crafting privacy

policies and notices-to employees as well as patients.

Determine how covered entity size, complexity, and type affect the policy/procedure

creation and implementation process.

Roadblocks

When smaller entities are absorbed by acquisition or merger into larger ones (e.g., an AMC

buying a community hospital), the policy/procedure set of the previously small covered entity

may not be adequate for its new role as part of the large covered entity.

Page 22

AMC/HIPAA Workgroup

210

Comments.

Group health plans that operate as described in § 164.530(k) need not conform to this

requirement.

Page 23

AMC/HIPAA Workgroup

211

PRIV.59 Documentation

164.530(j)

HIPAA Requirement

(1) Standard: Documentation. A covered entity must:

(i) Maintain the policies and procedures provided for in paragraph (i) of this

section in written or electronic form;

(ii) If a communication is required by this subpart to be in writing, maintain such

writing, or an electronic copy, as documentation; and

(iii) If an action, activity, or designation is required by this subpart to be

documented, maintain a written or electronic record of such action, activity, or

designation.

(2) Implementation specification: Retention period. A covered entity must retain

the documentation required by paragraph (j)(1) of this section for six years from

the date of its creation or the date when it last was in effect, whichever is later.

AMC Explanation of HIPAA Regulation

This requirement calls for documentation in support of policies and procedures and all other

subparts of the privacy regulations that directly list documentation as a requirement.

Documentation must be kept current to reflect changes in regulatory requirements and a covered

entity's privacy processes, and must be retained for a period of 6 years. It appears that the

provisions of this section apply to all of the other documentation requirements of the regulation.

Key Issues

How will the entity ensure compliance with document management requirements?

How will the entity ensure consistent documentation practices across departments?

Who will be allowed to have access to this documentation.

Category I Guidelines-Actions must be taken to address these.

Document privacy policies and procedures in written or electronic form.

Document required communications, designations, actions, and activities.

Record date of creation and last date of effectiveness of documents.

Maintain required documentation for six years from date of creation or the date when the

policy or procedure was last in effect, whichever is later.

Category II Guidelines-Actions should be taken to address these.

Promulgate the policy on documentation from the highest organizational level.

Clearly delineate responsibility for documentation of policies and procedures.

Specify the rescission and review dates for documentation.

Centralize retention of policy and procedure documentation.

Communicate to managers that a lack of documentation may be interpreted as failure of

compliance.

Organize documentation in such a way that it can be identified when necessary.

Centralize and standardize documentation across the organization so that it is easily

accessible.

Page 24

AMC/HIPAA Workgroup

212

Roadblocks

It may be difficult to get some groups within the entity to adopt required documentation practices

and procedures. Without direction and accountability for the periodic review and

communication of documentation updates, it is easy for documentation to fall by the wayside.

Comments

Several other standards also require documentation of policy and procedure, as well as

documentation of consideration given to policies that might not be adopted. Among those are

standards associated with JCAHO, the FDA Safe Medical Device Act, OSHA, and others.

Document management could involve a central office, or could be the responsibility of each

manager.