[Please label comments about this section with the subject: “Policies and procedures”]
In proposed § 164.520, we would require covered entities to develop and document their policies and procedures for implementing the requirements of this rule. This requirement is intended as a tool to facilitate covered entities’ efforts to develop appropriate policies to implement this rule, to ensure that the members of its workforce and business partners understand and carry out expected privacy practices, and to assist covered entities in developing a notice of information practices.
The scale of the policies developed should be consistent with the size of the covered entity. For example, a smaller employer could develop policies restricting access to health plan information to one designated employee, empowering that employee to deny release of the information to corporate executives and managers unless required for health plan administration. Larger employers could have policies that include using contractors for any function that requires access to protected health information or requiring all reports they receive for plan administration to be de-identified unless individual authorization is obtained.
Clearly, implementation of these requirements would differ significantly based on the size, capabilities and activities of each covered entity. A solo practitioner's documentation of her policies and procedures could provide relatively straightforward statements, such as;
this practice does not use or disclose any protected health information that is not authorized or permitted under the federal privacy regulation and therefore does not request any authorized disclosures from patients. Staff R.N. reviews all individually authorized requests for disclosures to ensure they contain all required elements and reviews the copied information to ensure only authorized information is released in response. Information requests that would require extensive redaction will be denied.
Larger entities with many functions and business relationships and who are subject to multi-state reporting and record-keeping requirements would need to develop and document more extensive policies. A health plan would need to describe all activities that would be considered health care operations and identify the use and disclosure requirements of each activity. A health plan may determine that underwriting department employees must provide a written request, approved by a team leader, to access any identifiable claims information; that such requests must be retained and reviewed every quarter for appropriateness; and the underwriting department must destroy such information after use for an approved activity. We urge professional associations to develop model policies, procedures and documentation for their members of all sizes.
We are proposing general guidelines for covered entities to develop and document their own policies and procedures. We considered a more uniform, prescriptive approach but concluded that a single approach would be neither effective in safeguarding protected health information nor appropriate given the vast differences among covered entities in size, business practices and level of sophistication. It is important that each covered entity’s internal policies and procedures for implementing the requirements of this regulation are tailored to the nature and number of its business arrangements, the size of its patient population, its physical plant and computer system, the size and characteristics of its workforce, whether it has one or many locations, and similar factors. The internal policies and procedures appropriate for a clearinghouse would not be appropriate for a physician practice; the internal policies and procedures appropriate for a large, multi-state health plan would not be appropriate for a smaller, local health plan.
After evaluating the requirements of federal, State, or other applicable laws, covered entities should develop policies and procedures that are appropriate for their size, type, structure, and business arrangements. Once a covered plan or provider has developed and documented all of the policies and procedures as required in this section, it would have compiled all of the information needed to develop the notice of information practices required in § 164.512. The notice is intended to include a clear and concise summary of many of the policies and procedures discussed in this section. Further, if an individual has any questions about the entity’s privacy policies that are not addressed by the notice, a representative of the entity can easily refer to the documented policies and procedures for additional information.
Before making a material change in a policy or procedure, the covered entity would, in most instances, be required to make the appropriate changes to the documentation required by this section before implementing the change. In addition, covered plans and providers would be required to revise their the notice of information practices in advance. Where the covered entity determines that a compelling reason exists to take an action that is inconsistent with its documentation or notice before making the necessary changes, it may take such action if it documents the reasons supporting the action and makes the necessary changes within 30 days of taking such action.
In an attempt to ensure that large entities develop coordinated and comprehensive policies and procedures as required by this section, we considered proposing that entities with annual receipts greater than $5 million (1) be required to have a privacy board review and approve the documentation of policies and procedures. As originally conceived, the privacy board would only serve to review research protocols as described in § 164.510(j). We believe that such a board could also serve as “privacy experts” for the covered entity and could review the entity’s documented policies and procedures. In this capacity, the overriding objective of the board would be to foster development of up-to-date, individualized policies that enable the organization to protect health information without unnecessarily interfering with the treatment and payment functions or business needs. This type of review is particularly important for large entities who would have to coordinate policies and procedures among a large staff, but smaller organizations would be encouraged, but not required, to take a similar approach (i.e., have a widely representative group participate in the development and/or review of the organization’s internal privacy policies and the documentation thereof). We solicit comment on this proposal.
We also considered requiring the covered entity to make its documentation available to persons outside the entity upon request. We rejected this approach because covered entities should not be required to share their operating procedures with the public, or with their competitors.
We recognize that the documentation requirement in this proposed rule would impose some paperwork burden on covered plans and providers. However, we believe that it is necessary to ensure that covered plans and providers establish privacy policies procedures in advance of any requests for disclosure, authorization, or subject access. It is also necessary to ensure that covered entities and members of their workforce have a clear understanding of the permissible uses and disclosures of protected health information and their duty to protect the privacy of such information under specific circumstances.
We propose that covered entities be required to develop and document policies and procedures for how protected health information would be used and disclosed by the entity and its business partners. The documentation would include policies to ensure the entity is in compliance with the requirements for use and disclosure pursuant to an individual’s authorization. This would also include documentation of how the covered entity would comply with individual’s revocation of an authorization, as provided in proposed § 164.508(e). For example, upon receipt of a revocation, the entity may need to take steps to notify each business partner that is responsible for using or disclosing protected health information on behalf of the covered entity based on the individual’s authorization. Because the entity is ultimately responsible for the protected health information, it may want written confirmation from the business partner that it received notice of the revocation.
The covered entity would be required to include policies and procedures necessary to address disclosures required by applicable law. For example, the covered entity may want to include a list of the relevant reporting requirements such as those for abuse, neglect and communicable disease and its policies and procedures for complying with each requirement.
It would also include policies and procedures for uses and disclosures without the individual’s authorization, including uses and disclosures for treatment, payment and health care operations under § 164.506(a)(1)(i). The documentation should address all of the legally permissible uses and disclosures that the covered entity is reasonably likely to make and should clearly specify the policy of the entity with respect to each. For example, all covered plans and providers face a reasonable likelihood of a request for disclosure from a health oversight agency, so every covered plan and provider should develop and document policies and procedures for responding to such requests. However, a provider that only treats adults would not need to specify a policy with respect to state laws that authorize disclosure relating to measles in young children. In this latter case, the provider knows that he or she is not reasonably likely to make such a disclosure and therefore, could wait until he or she is presented with such a request before developing the necessary policies and procedures.
The documentation would include the entity’s policies and procedure for complying with the requirements of proposed § 164.506(e) for disclosing protected health information to business partners, including policies and procedures for monitoring the business partners, mitigating harm, and imposing sanctions where appropriate.
It would address the policies and procedures for implementation of the minimum necessary requirement as provided in proposed § 164.506(b). It would also include policies and procedures addressing the creation of de-identified information pursuant to § 164.506(d). For example, a plan could have a policy that requires employees to remove identifiers from protected health information for all internal cost, quality, or performance evaluations. The plan would document this policy and the procedures for removing the identifiers.
We propose to require covered health care providers to document how they would implement an individual’s request to restrict uses and disclosures. Under proposed § 164.506(c)(1)(iii), a covered entity need not agree to such restrictions. This section of the documentation would describe who (if anyone) in the covered entity is permitted to agree to such restrictions, and if such restrictions were accepted, how they would be implemented. For example, a provider may require that once an individual has requested a limitation on a use or disclosure, the affected information is stamped, marked or kept in a separate file. The provider could also have a policy of never agreeing to requests for such restrictions.
We propose to require covered plans and providers to document their policies and procedures for complying with the requirement in § 164.512 to develop, make available or disseminate, and amend their notices of information practices. This documentation would address, at a minimum, who is responsible for developing and updating the notice, who would serve as the “contact” person on the notice, how the notice would be disseminated to individuals, and how to respond to inquiries regarding information practices.
We propose to require covered plans and providers to document policies and procedures to address how they would receive and comply with individual requests for inspection, and copying, in compliance with § 164.514 of this proposed rule. Policies and procedures should address, at a minimum, a listing of the designated record sets to which access will be provided, any fees to be charged, and the reasons (if any) that the entity would deny a request for inspection and copying.
We propose to require covered plans and providers to develop and document policies and procedures to address how they would receive and comply with individual requests for amendment or correction of their records, in compliance with § 164.516 of this proposed rule. Policies and procedures should include the process for determining whether a request for amendment or correction should be granted, the process to follow if a request is denied, and how the entity would notify other entities, including business partners, if the request is accepted. For example, if a covered entity accepts an individual’s request for an amendment or correction, the entity could document specific procedures regarding how to make the appropriate additions or notations to the original information. Without such documentation, members of the workforce could accidentally expunge or remove the incorrect information.
We propose to require covered entities to develop and document their policies and procedures for complying with the requirement in § 164.515 to provide on request an accounting for disclosures for purposes other than treatment, payment or health care operations. In order to respond to requests for accounting within a reasonable period of time, the entity would need to have a system for accounting in place well in advance of any potential requests. The entity would need to evaluate its record keeping system and determine how best to build in the capacity to respond to such a request. For example, if the entity chooses to keep a regular log of disclosures, it would have to begin keeping such logs routinely. If instead the entity chooses to rely on a record keeping system to reconstruct an accounting, it should develop appropriate procedures for members of the workforce to follow when faced with an individual’s request.
We propose to require covered entities to document their policies and procedures for complying with the applicable administrative requirements in proposed § 164.518. This would include designation of the privacy official required by § 164.518(a) including a description of his or her responsibilities; a description of how the entity would comply with the training and certification requirements for members of its workforce under § 164.518(b); a description of the covered entity’s safeguards required by § 164.518(c); a description of how the covered plan or provider would meet the requirements of § 164.518(d) to receive individual’s complaints; a description of how the covered entity would meet the requirements for sanctioning members of its workforce under § 164.518(e); and a description of how the covered entity would take steps to mitigate any deleterious effect of a use or disclosure of protected health information as required by § 164.518(f).
The documentation would also address how access to protected health information is regulated by the entity, including safeguards, including the procedures that would be required by proposed § 164.518. For covered entities that are part of a larger organization that is not a covered entity (e.g., an on-site clinic at a university or the group health plan component of an employer), we would require such entities to develop and document policies and procedures that ensure that protected health information does not flow outside the health care component of the organization in violation of this proposed rule. For example, a school-based health clinic should have policies and procedures to prevent treatment information from crossing over into the school’s record system.
Many disclosures would require verification of the identity of the person making the request, and sometimes also verification of the legal authority behind the request. The documentation required by this section would include a description of the entity’s verification policies (e.g., what proof would be acceptable), and who would be responsible for ensuring that the necessary verification has occurred before the information is disclosed.
We propose record keeping requirements related to several provisions. In addition to the documentation of policies and procedures described above, we would require covered entities, as applicable, to: document restrictions on uses and disclosures agreed to pursuant to § 164.506(c); maintain copies of authorization forms and signed authorizations (§ 164.508) and contracts used with business partners (§ 164.506(e)); maintain notices of information practices developed under § 164.512; maintain written statements of denials of requests for inspection and copying pursuant to § 164.514; maintain any response made to a request from an individual for amendment or correction of information, either in the form of the correction or amendment or the statement of the reason for denial and, if supplied, the individual's statement of disagreement, for as long as the protected health information is maintained (§ 164.516); maintain signed certifications by members of the workforce required by § 164.518(b); and, maintain a record of any complaints received (§ 164.518(d)). Unless otherwise addressed in this proposal, covered entities would be required to retain these documents for six years, which is the statute of limitations period for the civil penalties. We note that additional records or compliance reports may be required by the Secretary for enforcement of this rule. (§ 164.522(d)(1)).
(1) The Small Business Administration defines small businesses in the health care field as those generating less than $5 million annually. Small businesses represent approximately 85% of health care entities.