§ 164.530 Administrative requirements
Introductory Comment: This section is critically important because it describes the administrative procedures that must be followed in order to comply with the HIPAA Privacy Rule. In essence, the way to build a “good story” and “to do the right thing” is to adhere to the standards and implementation specifications contained herein. For this reason, we attempt a more thorough dissection, similar to the approach taken for the notice requirement. That said, nearly all standards in this section are still succinctly paraphrased for readability.
(a) Standard: Personnel designations. A Covered Entity must designate a privacy official responsible for implementing the rules and a contact person or office for receiving complaints.
HIPAA Survival Guide Note
For small providers this person is likely to be the office administrator in both cases. But the point that needs to be emphasized is that someone must be designated and that designation should be captured in a policy document.
(b) Standard: Training A Covered Entity must train all members of its workforce regarding Protected Health Information as it applies and as necessary to perform their jobs. In general, a covered entity must conduct such training within a reasonable time and training must be documented.
HIPAA Survival Guide Note
A “good story” requires quality documentation, which is the foundation upon which it is built. It stands to reason that training records should be logged and signed; otherwise the necessary demonstrable evidence of compliance will not be available when/if required.
(c) Standard: Safeguards A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
HIPAA Survival Guide Note
These safeguards are covered in depth under the HIPAA Security Rule (SR), which is meant to complement the HIPAA Privacy Rule. This reference to safeguards makes the relationship between the rules more explicit.
(d) Standard: Complaints to the covered entity. A Covered Entity must provide a process for individuals to make complaints and complaints must be documented.
(e) Standard: Sanctions. A Covered Entity must apply appropriate sanctions against members of its workforce that do not comply with the rules and document such sanctions.
(f) Standard: Mitigation. A Covered Entity must mitigate, to the extent practicable, any harmful effects caused by the inappropriate disclosure of PHI.
(g) Standard: Refraining from intimidating or retaliatory acts. A Covered Entity must refrain from intimidation or retaliation against an individual for the exercise of an established individual right.
(h) Standard: Waiver of rights. A covered entity may not require individuals to waive their rights under the rules as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
HIPAA Survival Guide Note
These standards simply make good common sense and therefore should not present compliance challenges under the principle of “do the right thing.” If a complaint is lodged then following a rules based compliant process is the most reasonable (and defensible) course of action.
(i) Standard: Policies and procedures. A Covered Entity must implement policies and procedures with respect to Protected Health Information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and must make any changes to its policy and procedures necessary to comply with the law.
HIPAA Survival Guide Note
Given the recent changes introduced by the HITECH Act, and new regulations that may soon follow, it is imperative that providers develop a reasonable method by which they can stay abreast of the changing statutory and regulatory landscape.
(j) (1) Standard: Documentation. A covered entity must:
(i) Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form;
(ii) If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and
(iii) If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation.
(2) Standard: Implementation specification: Retention period. A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.
HIPAA Survival Guide Note
Section (j) is presented in its entirety. As has been emphasized throughout this guide, no documentation translates into “no story.” It is highly improbable that a provider will survive a HIPAA compliance audit without incurring some liability if the mandated documentation is not in place.
Download a FREE copy of the HIPAA Survival Guide 4th Edition.