|
§
164.530 Administrative requirements.
(a)(1)
Standard: personnel designations. (i) A covered entity must designate a
privacy official who is responsible for the development and implementation of
the policies and procedures of the entity.
(ii)
A covered entity must designate a contact person or office who is responsible
for receiving complaints under this section and who is able to provide further
information about matters covered by the notice required by § 164.520.
(2)
Implementation specification: personnel designations. A covered entity
must document the personnel designations in paragraph (a)(1) of this section as
required by paragraph (j) of this section.
(b)(1)
Standard: training. A covered entity must train all members of its
workforce on the policies and procedures with respect to protected health
information required by this subpart, as necessary and appropriate for the
members of the workforce to carry out their function within the covered
entity.
(2)
Implementation specifications: training. (i) A covered entity must
provide training that meets the requirements of paragraph (b)(1) of this
section, as follows:
(A)
To each member of the covered entity's
workforce by no later than the compliance
date for the covered
entity;
(B)
Thereafter, to each new member of the workforce within a reasonable period of
time after the person joins the covered entity’s
workforce; and
(C)
To each member of the covered entity’s
workforce whose functions are affected
by a material change in the policies or procedures required by this subpart,
within a reasonable period of time after the material change becomes effective
in accordance with paragraph (i) of this section.
(ii)
A covered entity must document that the training as described in paragraph
(b)(2)(i) of this section has been provided, as required by paragraph (j) of
this section.
(c)(1)
Standard: safeguards. A covered entity must have in place appropriate
administrative, technical, and physical safeguards to protect the privacy of
protected health information.
(2)
Implementation specification: safeguards. A covered entity must
reasonably safeguard protected health information from any intentional or
unintentional use or disclosure that is in violation of the
standards,
implementation specifications or other requirements of this subpart.
(d)(1)
Standard: complaints to the covered
entity. A covered entity must provide
a process for individuals to make complaints concerning the
covered entity's
policies and procedures required by this subpart or its compliance with such
policies and procedures or the requirements of this subpart.
(2)
Implementation specification: documentation of complaints. As required by
paragraph (j) of this section, a covered entity must document all complaints
received, and their disposition, if any.
(e)(1)
Standard: sanctions. A covered entity must have and apply appropriate
sanctions against members of its workforce who fail to comply with the privacy
policies and procedures of the covered entity or the requirements of this
subpart. This standard does not apply to a member of the covered entity’s
workforce with respect to actions that are covered by and that meet the
conditions of § 164.502(j) or paragraph (g)(2) of this section.
(2)
Implementation specification: documentation. As required by paragraph (j)
of this section, a covered entity must document the sanctions that are applied,
if any.
(f)
Standard: mitigation. A covered entity must mitigate, to the extent
practicable, any harmful effect that is known to the covered entity of a use or
disclosure of protected health information in violation of its policies and
procedures or the requirements of this subpart by the covered entity or its
business associate.
(g)
Standard: refraining from intimidating or retaliatory acts. A covered
entity may not intimidate, threaten, coerce, discriminate against, or take other
retaliatory action against:
(1)
Individuals. Any individual for the exercise by the
individual of any
right under, or for participation by the individual in any process established
by this subpart, including the filing of a complaint under this section;
(2)
Individuals and others. Any individual or other person for:
(i)
Filing of a complaint with the Secretary under subpart C of part 160 of this
subchapter;
(ii)
Testifying, assisting, or participating in an investigation, compliance review,
proceeding, or hearing under Part C of Title XI; or
(iii)
Opposing any act or practice made unlawful by this subpart, provided the
individual or person has a good faith belief that the practice opposed is
unlawful, and the manner of the opposition is reasonable and does not involve a
disclosure of protected health information in violation of this subpart.
(h)
Standard: waiver of rights. A covered entity may not require individuals
to waive their rights under § 160.306 of this subchapter or this subpart as a
condition of the provision of treatment, payment, enrollment in a
health plan,
or eligibility for benefits.
(i)(1)
Standard: policies and procedures. A covered entity must implement
policies and procedures with respect to protected health information that are
designed to comply with the standards, implementation
specifications, or other
requirements of this subpart. The policies and procedures must be reasonably
designed, taking into account the size of and the type of activities that relate
to protected health information undertaken by the
covered entity, to ensure such
compliance. This standard is not to be construed to permit or excuse an action
that violates any other standard, implementation
specification, or other
requirement of this subpart.
(2)
Standard: changes to policies or procedures. (i) A covered entity must
change its policies and procedures as necessary and appropriate to comply with
changes in the law, including the standards, requirements, and implementation
specifications of this subpart;
(ii)
When a covered entity changes a privacy practice that is stated in the notice
described in § 164.520, and makes corresponding changes to its policies and
procedures, it may make the changes effective for protected health information
that it created or received prior to the effective date of the notice revision,
if the covered entity has, in accordance with § 164.520(b)(1)(v)(C), included
in the notice a statement reserving its right to make such a change in its
privacy practices; or
(iii)
A covered entity may make any other changes to policies and procedures at any
time, provided that the changes are documented and implemented in accordance
with paragraph (i)(5) of this section.
(3)
Implementation specification: changes in law. Whenever there is a change
in law that necessitates a change to the covered entity’s policies or
procedures, the covered entity must promptly document and implement the revised
policy or procedure. If the change in law materially affects the content of the
notice required by § 164.520, the covered entity must promptly make the
appropriate revisions to the notice in accordance with § 164.520(b)(3). Nothing
in this paragraph may be used by a covered entity to excuse a failure to comply
with the law.
(4)
Implementation specifications: changes to privacy practices stated in the
notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of
this section, a covered entity must:
(A)
Ensure that the policy or procedure, as revised to reflect a change in the
covered entity’s privacy practice as stated in its notice, complies with the
standards, requirements, and implementation specifications of this subpart;
(B)
Document the policy or procedure, as revised, as required by paragraph (j) of
this section; and
(C)
Revise the notice as required by § 164.520(b)(3) to state the changed practice
and make the revised notice available as required by § 164.520(c). The covered
entity may not implement a change to a policy or procedure prior to the
effective date of the revised notice.
(ii)
If a covered entity has not reserved its right under § 164.520(b)(1)(v)(C) to
change a privacy practice that is stated in the notice, the covered entity is
bound by the privacy practices as stated in the notice with respect to protected
health information created or received while such notice is in effect. A covered
entity may change a privacy practice that is stated in the notice, and the
related policies and procedures, without having reserved the right to do so,
provided that:
(A)
Such change meets the implementation the requirements in paragraphs (i)(4)(i)(A)-(C)
of this section; and
(B)
Such change is effective only with respect to protected health information
created or received after the effective date of the notice.
(5)
Implementation specification: changes to other policies or procedures. A
covered entity may change, at any time, a policy or procedure that does not
materially affect the content of the notice required by § 164.520, provided
that:
(i)
The policy or procedure, as revised, complies with the standards, requirements,
and implementation specifications of this subpart; and
(ii)
Prior to the effective date of the change, the policy or procedure, as revised,
is documented as required by paragraph (j) of this section.
(j)(1)
Standard: documentation. A covered entity must:
(i)
Maintain the policies and procedures provided for in paragraph (i) of this
section in written or electronic form;
(ii)
If a communication is required by this subpart to be in writing, maintain such
writing, or an electronic copy, as documentation; and
(iii)
If an action, activity, or designation is required by this subpart to be
documented, maintain a written or electronic record of such action, activity, or
designation.
(2)
Implementation specification: retention period. A covered entity must
retain the documentation required by paragraph (j)(1) of this section for six
years from the date of its creation or the date when it last was in effect,
whichever is later.
(k)
Standard: group health
plans. (1) A group health plan is not subject to
the standards or implementation specifications in paragraphs (a) through (f) and
(i) of this section, to the extent that:
(i)
The group health plan provides health benefits solely through an insurance
contract with a health insurance issuer or an
HMO; and
(ii)
The group health plan does not create or receive protected health
information,
except for:
(A)
Summary health information as defined in § 164.504(a); or
(B)
Information on whether the individual is participating in the
group health plan,
or is enrolled in or has disenrolled from a health insurance issuer or
HMO
offered by the plan.
(2)
A group health plan described in paragraph (k)(1) of this section is subject to
the standard and implementation specification in paragraph (j) of this section
only with respect to plan documents amended in accordance with § 164.504(f).
|
