Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Administrative Requirements

Standard: Personnel Designations—Privacy Officer

The Rule states (§164.530(1)(i)) that: "A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity." The Rule also states (§164.530(ii)) that "A covered entity must designate a contact person or office who is responsible for receiving complaints under this…[Rule] and who is able to provide further information about matters covered by the Notice of Privacy Practices."

{Note that AHIMA has published a position description for the Privacy Officer).

Specifications: Personnel Designations
The personnel and offices selected in these two designations – privacy official and contact person – must be documented per the Rules documentation requirements and requirements in the Notice.

{Note again, that the contact person and privacy official (officer) do not necessarily have to be the same individual.}

Standard: Training

"A covered entity (§164.530(b)(1)) must train all members of its workforce on the policies and procedures with respect to PHI required by this…[Rule]…as necessary and appropriate for the members of the workforce to carry out their function within the covered entity."

Specifications: Training
To meet this requirement, training must:

  • Be provided to "each member of the covered entity’s workforce by no later than the compliance date for the covered entity;"

  • "Thereafter" provide such training "to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce; and

  • Provide additional training "To each member of the covered entity’s workforce whose functions are affected by a material change in the policies or procedures required by this..[Rule]..within a reasonable period of time after the material change becomes effective."

A covered entity must document that the training as described has been provided.

{The training described here is significant in meeting the compliance requirements of the Rule. Since just about all members of the workforce have the potential to come across some amount and/or form of PHI, training will have to be directed to all workforce members. This does not mean that all members should or need to be trained to the same degree or amount. The Rule does not designate who should do the training, although there are some assumptions in impact analysis (65FR82758). The size of the workforce and turnover of that workforce will also affect just how the training is given and what it covers.

Documentation of training should be done both on a entity-wide and individual basis. A signed statement of training by the individual workforce member will be helpful to show that training has occurred. This can also be used for enforcement purposes.}

Standards: Safeguards

"A covered entity (§164.530(C)(1)) must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI."

Specification: Safeguards
As such, the entity "must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards implementation specifications or other requirements of this" [Rule].

{There is limited language here regarding safeguards. However, HIPAA also has a set of security regulations that will be issued and will work hand in hand with this Privacy rule.}

Standard: Complaints to the Covered Entity

A covered entity §164.530(d)(1)) "must provide a process for individuals to make complaints concerning the covered entity’s policies and procedures required by this..[Rule]..or its compliance with such policies and procedures of the requirements of this..[Rule]." A "covered entity must also document all complaints received and their disposition."

Standard: Sanctions

A covered entity (§164.530(e)(1)) "must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of" the Rule. This requirement or standard "does not apply to a member of the covered entity’s workforce with respect to actions that are covered by and that meet the conditions of" the Rule’s requirements for disclosures by whistleblowers and workforce member crime victims, or workforce members that are filing a complaint with the Secretary, testifying, assisting or participating in an investigation, compliance review or similar proceeding, or opposing any unlawful act or practice. "A covered entity must document the sanctions that are applied, if any."

Standard: Mitigation

"A covered entity (§164.530(f)) must mitigate, to the extent practicable, any harmful effect that is known to the covered entity as a use or disclosure of PHI in violation of its policies and procedures or the requirements of this [Rule] by the covered entity or its business associate."

Standard: Refraining from Intimidating or Retaliatory Acts

"A covered entity (§164.530(g)) may not intimidate threaten, coerce, discriminate against, or take other retaliatory action against:

  • Individuals—"Any individual for the exercise by the individual of any right under, or for participation by the individual in any process established by this [Rule] including the filing of a complaint"…;
  • Individuals and others—"Any individual or other person for:
    • Filing a complaint with the Secretary;
    • Testifying, assisting, or participating in an investigation, compliance review, proceeding or hearing under Part C of Title XI; or
    • Opposing any act or practice made unlawful by this [Rule] provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of the opposition is reasonable and does not involve a disclosure of PHI in violation of this [Rule]."

Standard: Waiver of Rights

"A covered entity (§164.530(h)) may not require individuals to waive their rights under" the Rule’s section on "complaints to the Secretary" or other parts of the Rule "as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

Standard: Policies and Procedures

"A covered entity (§164.530(i)(1)) must implement policies and procedures with respect to PHI that is designed to comply with the standards, implementation specifications, or other requirements of this [Rule]. The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to PHI undertaken by the covered entity, to ensure such compliance." The Secretary then states that, "This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this [Rule]."

Standard: Changes to Policies or Procedures

"A covered entity must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of this [Rule]. When a covered entity changes a privacy practice that is stated in the Notice…and makes corresponding changes to its policies and procedures, it may make the changes effective for PHI that it created or received prior to the effective date of the Notice revision," if it has "included in the Notice a statement reserving its right to make such a change in its privacy practices…A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance" with all requirements of the Rule.

Specification: Change in Law
"Whenever there is a change in law that necessitates a change to the covered entity’s policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the Notice…, the covered entity must promptly make the appropriate revisions to the Notice…. Nothing in this paragraph may be used by a covered entity to excuse a failure to comply with the law."

To implement these changes to privacy policies and procedures, a covered entity must:

  • "Ensure that the policy or procedure, as revised to reflect a change in the covered entity’s privacy practice as stated in its Notice, complies with the standards, requirements, and implementation specifications of the [Rule];"

  • "Document the policy or procedure as revised" and as required under the documentation section of this Rule; and

  • Revise the Notice as required…to state the changed practice and make the revised Notice available as required.

Note: "The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised Notice."

If the covered entity has not reserved its right…to change a privacy practice that is stated in the Notice, the covered entity is bound by the privacy practices as stated in the Notice with respect to PHI created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the Notice, and the related policies and procedures, without having reserved the right to do so, provided that the change meets the implementation requirements in the paragraph just above and that "such change is effective only with respect to PHI created or received after the effective date of the notice."

Specification: Changes to Other Policies or Procedures
"A covered entity (§164.530(i)(5)) may change at any time, a policy or procedure that does not materially affect the content of the Notice…provided that:

  • The policy or procedure, as revised, complies with the standards, requirements, and implementation specification of this subpart; and

  • Prior to the effective date of the change, the policy or procedure, as revised, is documented."

Standard: Documentation

"A covered entity (§164.530(j)(1)) must:

  • Maintain the policies and procedures provided for [above] in written or electronic form;

  • If a communication is required by this [Rule] to be in writing, maintain such writing, or an electronic copy, as documentation; and

  • If an action, activity , or designation is required by this [Rule] to be documented, maintain a written or electronic record of such action, activity, or designation."

Specification: Retention Period
"A covered entity (§164.530(j)(2)) must retain the documentation required…for six years from the date of its creation or the date when it last was in effect, whichever is later."

Standard: Group Health Plans

A group health plan is not subject to the standards or implementation noted above in "personnel designations," "training," "safeguards," "complaints to the covered entity," "sanctions," "mitigation," and "policies and procedures" to the extent that:

  • The group health plan provides health benefits solely through an insurance contract with a health insurance issuer or an HMO; and

  • The group health plan does not create or receive PHI, except for
    • summary health information,
    • information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.

For those documents that the group health plan is required to maintain, and the like, it must meet all of the documentation requirements noted above.

{Readers of the Administrative section above will see many similarities to the Medicare compliance program. While compliance officers should probably not serve as the privacy officer, he or she should be part of any privacy task force, and could serve in an active capacity to handle nonpatient complaints and help coordinate audits, training, sanctions and so forth.}

Go to next section, Modifications.

Go to previous section, Accounting of Disclosures of Protected Health Information.

Go to document index.