HIPAA PRIVACY REGULATIONS

 

ADMINISTRATIVE REQUIREMENTS § 164.530

 

Standard: Personnel designations

1.  Designate a privacy official who is responsible for development and implementation of policies and procedures.

2.  Designate a contact person to receive complaints and provide further information about matters covered in the Privacy Regulations. [privacy official?]

 

Standard: Training

1.  Covered entity [privacy official?] must train all employees by April 14, 2003 regarding the Privacy Regulations and the entities’ policies and procedures.  Must train all new employees within a reasonable time of hiring, and retrain employees every three years.  All such training shall be documented.

 

Standard: Safeguards

1. An entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI) from intentional or unintentional use or disclose in violation of the regulations.

2. An entity must reasonably safeguard PHI to limit incidental uses or disclosures.

 

Standard: Complaints to the Covered Entity

1. Covered entity must provide a process for individuals to make complaints concerning the entity’s policies and procedures.

2. Covered entity must document all complaints received and their disposition, if any.

 

Standard: Sanctions

1. Covered entity must have appropriate sanctions against employees who fail to comply with the policies and procedures.

2. Covered entity must document the sanctions that are applied, if any.

 

Standard: Mitigation

Covered entity must mitigate, to the extent practical, any known harmful effect from violation of the policies and procedures.

 

Standard: Refraining from Intimidating or Retaliatory Acts

Covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory actions against an individual:

1. Filing a complaint with the entity,

2. Filing a complaint with the Secretary of Health and Human Services,

3. Testifying, assisting, or participating in an investigation or compliance proceeding,

4. Opposing any act or practice made unlawful by the regulations, providing that the act             is in good faith belief of unlawfulness, and the opposition is reasonable and does            not involve the disclosure of PHI.

 

Standard: Waiver of Rights

Covered entity may not require individuals to waive their rights under these regulations as a condition of the provision of treatment, payment, enrollment inn a health plan, or eligibility for benefits.

 

Standard: Policies and Procedures

1. The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to protected health information to ensure compliance.

2. When a covered entity changes their notice of privacy practices, and makes corresponding changes in policy and procedures, the entity can make the changes effective for PHI created or received prior to the effective date of the notice revision, IF the notice of privacy practices states a reservation of the right to make such changes.

3. Whenever there is a change in the law necessitating a change in the policy and procedures, those changes must be made promptly and so documented.  If the change requires a revision of the notice of privacy practices, this revised notice shall be made available as required in § 164.520 of the 45 CFR.

 

Standard: Retention Period

Covered entity must retain documentation required for six years.