Page 1
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
PRIV.01 Health care component §
164.504(b)
Category I Guidelines-Actions must be taken to
address these
.
If your entity is a hybrid entity, designate which
components of your entity are healthcare
components. Document this designation.
.
Ensure that all healthcare components of your entity
comply with HIPAA privacy
requirements.
.
Identify any individuals who work for both
healthcare components and non-healthcare
components of your entity and ensure that they treat
protected health information in
accordance with the HIPAA privacy requirements.
Make sure this is done on a regular
basis, as workforce members change jobs.
Category II Guidelines-Actions should be taken to
address these
.
Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau creative-lizzy Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich
tableofcontents.htm   start.htm   securitysectiontwo.htm   securitysectionthree.htm   securitysectionone.htm   securitycategories.htm   references.htm   privacysectiontwo.htm   privacysectionthree.htm   privacysectionone.htm   privacysectionfour.htm   privacysectionfive.htm   privacycategories.htm   jobdescriptions.htm   introduction.htm   index.htm   hipaatrifold.htm   hipaasuppliment.htm   hipaaresources.htm   hipaaexecsummary.htm   guidelinesorganization.htm   generalpolicyguidelines.htm   generalcategories.htm   definitions.htm   contractsandpolicies.htm   contact.htm   amchipaasecurityandprivacyguidelines.htm   acronyms.htm   acknowledgements.htm  
Make specialized training available to help
workforce members who work for both
healthcare and non-healthcare components be aware
of their responsibilities.
PRIV.02 Affiliated covered entities §
164.504(d)
Category I Guidelines-Actions must be taken to
address these
.
If an affiliated entity is created, make sure to
document its creation according to the
requirements of §164.530(j).
Category II Guidelines-Actions should be taken to
address these
.
Consult your legal staff about whether the creation
of an affiliated entity would be
advantageous.
PRIV.03 Business associate contracts
§
164.504(e)(1)
Category I Guidelines-Actions must be taken to
address these
.
Develop a Chain of Trust Agreement, which must
include:
_
Signatures of contracting parties. The contracts can
be free-standing, or can be
incorporated into, or as an addendum to, another
contract.
_
Contract start date, expiration date, and/or review
date. A certification audit must be
documented and attached to the agreement.
_
Definition of Terms and Conditions, which must
include conditions for disclosure of
protected health information, data rights of each
party, and minimum levels of
security to be maintained.
_
Procedures for reporting breaches within a
designated time frame.
_
A method of recording breaches. Each party must
be able to provide its incident log
for periodic inspection and upon demand.
_
Penalties for non-compliance (intentional versus
unintentional).
_
Procedures for the retention and/or destruction of
data.
_
Language requiring that subcontractors to the
contracting party comply with the
requirements of HIPAA privacy, together with a
mutually agreed method for
monitoring such compliance.
Category II Guidelines-Actions should be taken to
address these
Page 2
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
.
Implement a method to identify all of your entity's
contracts.
.
Develop standard contract terms for HIPAA
privacy business associate provisions.
.
Incorporate HIPAA business associate terms into
existing contracts as part of your
contract renewal process.
PRIV.04 Requirements for group health plans
§164.504(f)(1)
Category I Guidelines-Actions must be taken to
address these
.
A group health plan must amend its plan documents
to:
_
Establish permitted and required uses and
disclosures of protected health information
by the plan sponsor;
_
Describe which workforce members of the plan
sponsor will be given access to the
group health plan's protected health information;
_
Restrict access to and use by these workforce
members to the plan administration
functions which the plan sponsor performs for the
group health plan;
_
Provide a procedure for resolving issues of
noncompliance.
.
The group health plan's sponsor must agree to:
_
Not use or further disclose protected health
information provided by the plan other
than as permitted or required by the plan documents
or required by law;
_
Ensure that its agents adhere to the same rules it
adheres to;
_
Not use protected health information for
employment-related actions and decisions;
_
Not use protected health information for any other
benefit or employee benefit plan;
_
Report any improper uses or disclosures of
protected health information to the group
health plan.
.
The group health plan's sponsor must make certain
information available to the group
health plan:
_
make protected health information available to the
group health plan for purposes of
supporting requests to the plan for access to or
amendment of protected health
information.
_
make history of disclosures by the plan sponsor
available to the group health plan.
.
The group health plan's sponsor must make its
internal practices, books, and records
relating to the use and disclosure of protected health
information received from the group
health plan available to the Secretary of HHS for the
purpose of determining whether it is
in compliance.
.
The group health plan's sponsor must (if feasible)
return or destroy protected health
information when it is no longer needed.
Category II Guidelines-Actions should be taken to
address these
.
Pay special attention to the provisions prohibiting a
group health plan sponsor from using
protected health information obtained from a group
health plan for any employmentrelated
action or decision. Consider clearly documenting
which protected health
information has been obtained under this section.
Page 3
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
PRIV.05 Requirements for a covered entity with
multiple covered functions
§
164.504(g)
Category I Guidelines-Actions must be taken to
address these
.
Identify the individuals for whom you provide only
health plan services or only
healthcare provider services.
.
For individuals for whom you provide only health
plan services, limit your uses and
disclosures of their protected health information to
those permitted to a health plan by the
regulation.
.
For individuals for whom you provide only
healthcare provider services, limit your uses
and disclosures of their protected health information
to those permitted to a healthcare
provider by the regulation.
Category II Guidelines-Actions should be taken to
address these
None.
PRIV.06 Group health plans
§ 164.530(k)
Category I Guidelines-Actions must be taken to
address these
.
Determine whether your entity is exempt under this
section.
Category II Guidelines-Actions should be taken to
address these
None.
PRIV.07 Consent requirement
§ 164.506(a)
Category I Guidelines-Actions must be taken to
address these
.
Develop a procedure and a consent form to secure
written consent for use or disclosure of
protected health information to carry out treatment,
payment, and health care operations
when an individual first presents himself or herself to
the covered entity.
.
If protected health information is used or disclosed
for treatment, payment, or health care
operations without consent in an emergency, or as
required by law, or if consent could
not be obtained because of barriers in
communication, attempt to get consent as soon as
possible. If consent cannot be obtained, document the
effort to get consent and state the
reason consent was not obtained.
.
Determine what action the covered entity will take
if an individual will not consent to use
or disclosure of protected health information or
treatment, payment, or health care
operations.
.
Identify actions to be taken when an individual
revokes his or her consent. (The covered
entity must comply with the revocation, except to the
extent that the covered entity has
taken action in reliance upon the original consent.)
.
Develop a procedure to document and retain an
individual's signed consent.
.
Adopt a standard form for consent requests that
contains all necessary elements cited in
§164.506(c), as follows:
_
is written in plain language;
_
informs the individual that protected health
information may be used and disclosed
for treatment, payment, or health care operations;
_
informs the individual that the covered entity may
change its privacy practices as
Page 4
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
described in its privacy notice and tells the individual
how to get a revised notice;
_
states that the individual has a right to request
restrictions upon use and disclosure of
protected health information for treatment, payment
and health care operations; that
the covered entity does not have to agree to requested
restrictions; and that if the
covered entity does agree to restrictions, the
restrictions are binding.
.
Prohibit the use or disclosure of protected health
information for marketing, sale, fund
raising, and health plan enrollment decisions,
employment determinations, or disclosure
to non-related divisions and employers unless patient
authorization is secured under
§164.508/PRIV.10.
Category II Guidelines-Actions should be taken to
address these
.
Consider obtaining consent for use or disclosure of
protected health information even
when it is not required.
.
Consider using a time and date stamp on consent
forms to be sure the handling of patient
information was appropriate at the time it was done.
.
Consider having a single point for disclosure of all
information from the covered entity,
even if decisions to use or disclose are made
elsewhere.
.
Instruct the privacy official to work with legal staff
to ensure that contracts and business
associate agreements reflect appropriate concern for
the privacy and security of patient
information.
.
Consult with legal counsel about the documentation
needed to support use or disclosure
of protected health information when the entity was
unable to obtain consent.
PRIV.08 Resolving conflicting consents and
authorizations §
164.506(e)
Category I Guidelines-Actions must be taken to
address these
.
Develop a procedure to determine whether more
than one consent for use and disclosure
of protected health information exists for an
individual.
.
If more than one consent exists, determine if any
conflicts exist between them, and if
conflicts exist adhere to the most restrictive.
Category II Guidelines-Actions should be taken to
address these
.
Develop a procedure for securing consents that will
minimize the number of consents
from any one individual and thus reduce the
incidence of conflicts.
.
Consider developing a single standard consent form
for use in all encounters with an
individual, and changing it infrequently.
.
If a consent conflict exists, contact the individual to
clarify his or her preference and
either:
_
Obtain a new written consent for use and
disclosure or other clarification in writing,
indicating that this document supercedes all other
consents; or
_
Communicate with the individual, obtain verbal
clarification, and document the
conversation; and
_
Either way, from this point on, only use or disclose
protected health information for
treatment, payment, or health care operations as
Page 5
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
clarified by this contact.
PRIV.09 Joint consents
§ 164.506(f)
Category I Guidelines-Actions must be taken to
address these
Determine if the covered entity is eligible to, or
wants to, participate in a joint consent with
others. If so:
.
Create a joint consent form that meets the
requirements of this standard:
_
Include on the joint consent form the individual
names of each organization in the
joint organization;
_
Include the other requirements of consent forms as
specified in § 164.506(a).
.
Establish a process for revocation of consent.
.
Establish a process to notify each covered entity in
the joint arrangement of revoked
consents.
.
Develop and use a joint notice of privacy practices.
Category II Guidelines-Actions should be taken to
address these
.
Establish a process to recognize which individuals
have no consent or have revoked
consent for the use or disclosure of their protected
health information for the purpose of
treatment, payment, or health care operations.
.
Establish a procedure that protects the protected
health information of individuals with a
revoked consent from use or disclosure.
PRIV.10 Authorizations for uses and disclosures
§
164.508(a)
Category I Guidelines-Actions must be taken to
address these
.
Develop a clearly written and complete statement
covering use and disclosure practices
for the covered entity, and publish it in the privacy
notice.
.
Develop policies to document and retain any signed
authorization.
.
Ensure that policies are in place and are followed
for authorizations for use and
disclosure of protected health information for
psychotherapy notes, for compound
authorizations, and for treatment related to research.
.
Adopt appropriate forms for use and disclosure
authorizations that contains each of the
core elements cited in the regulation as follows:
_
describes the information to be used or disclosed;
_
identifies the person authorized to make the
requested use or disclosure;
_
identifies the person to whom the covered entity
may make the requested use or
disclosure;
_
includes an expiration date or an event that triggers
expiration;
_
states that the individual has a right to revoke the
authorization, with exceptions
identified, and describes how revocation may be
done;
_
includes the individual's signature and the date;
_
if signed by a personal representative, includes a
description of the representative's
authority;
_
is written in plain language.
.
Develop policies to ensure that the individual is
given a copy of each signed authorization
requested by a covered entity for its own use and
disclosure or for disclosures requested
Page 6
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
by others.
.
Prohibit use or disclosure of protected health
information for sale, health plan enrollment
decisions, and employment determinations, and
prohibit disclosure to non-related
divisions and employers unless appropriate patient
authorization has been secured.
Category II Guidelines-Actions should be taken to
address these
.
Consider having a single point for disclosure of all
information from the covered entity,
even if decisions to use or disclose are made
elsewhere.
.
Have the privacy official should work with legal
staff to ensure that the covered entity's
contracts and business partner agreements reflect
appropriate concern for the privacy and
security of patient information.
.
Develop clearly understood use and disclosure
guidelines for development and marketing
functions.
.
Consider defining a set of reasonably broad
authorizations and developing the ability to
track what the user has authorized.
PRIV.11 Right of an individual to request
restriction of uses and disclosures
§
164.522(a)(1)
Category I Guidelines-Actions must be taken to
address these
.
Establish a policy to allow or deny restrictions.
.
Establish procedures for patients to request
restrictions.
.
Document any agreed-to restrictions.
.
Establish a process to ensure communication of and
compliance with any agreed-to
restrictions.
.
Notify others to whom restricted information is
released of such restrictions.
.
Establish a process to notify providers to whom
protected health information has been
disclosed for emergency care of any restrictions on
use or disclosure that apply.
.
Establish procedures for documenting and
terminating a restriction for each of the
following circumstances:
_
When an individual requests a termination in
writing;
_
When an individual orally agrees to the
termination;
_
When the covered entity informs the individual
that it is terminating its agreement to
a restriction.
Category II Guidelines-Actions should be taken to
address these
.
Develop an integrated audit function to track
protected health information covered by
restriction requests.
.
Develop consistent policies regarding the
application of restrictions for any provider
agreeing to restrictions.
.
Maintain a comprehensive record of any agreed-to
restrictions.
.
Identify any agreed to restrictions within each
affected patient's record.
PRIV.12 Effect of prior consents and
authorizations
§ 164.532(a)
Page 7
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
Category I Guidelines-Actions must be taken to
address these
.
Decide whether or not to treat protected health
information created or received before the
HIPAA compliance date with a different set of
privacy consents and authorizations from
protected health information created or received after
the HIPAA compliance date.
.
If protected health
information will be handled in different ways
depending on the date it
was created or received, clearly identify the protected
health information that existed
before the HIPAA compliance date.
.
Verify that uses and disclosures of protected health
information are in accordance with
the consent, authorization, or other documented
wishes of the individual that were
effective at the time the protected health information
was created or received.
Category II Guidelines-Actions should be taken to
address these
.
Consider using HIPAA standards for all uses and
disclosures of protected health
information, whether it was created before or after
the HIPAA compliance date, once the
HIPAA regulations are in effect.
PRIV.13 Uses and disclosures of protected heath
information
§ 164.502(a)
Category I Guidelines-Actions must be taken to
address these
.
The covered entity must limit its uses and
disclosures to those permitted or required.
Category II Guidelines-Actions should be taken to
address these
.
Consider managing the consents and authorizations
centrally for each covered entity in
the AMC.
.
Consider obtaining compliant consents and
authorizations prior to the effective date of
the regulations.
.
Examine and amend any programs for which
patients may not currently give
authorization to have their protected health
information used or disclosed.
.
Consider adapting existing procedures where only
small changes are needed for
compliance prior to starting new procedures in
programs where no procedure currently
exists.
PRIV.14 Uses and disclosures of protected health
information subject to an agreedupon
restriction
§ 164.502(c)
Category I Guidelines-Actions must be taken to
address these
.
Abide by any restrictions the covered entity agrees
to.
Category II Guidelines-Actions should be taken to
address these
.
Consider the practicality of respecting a restriction
prior to agreeing to it, and weigh that
practicality against the willingness of the patient to
participate fully in care without the
restriction.
.
Consider the most common causes for requests for
special restrictions, and design a small
set of restriction protocols to accommodate these
common causes where practical (e.g.,
Page 8
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
celebrity, social stigma, physical danger).
.
Establish a systematic way of communicating
restrictions to workforce members, some of
whom may become workforce members after the
restriction comes into being.
.
Avoid making the totality of special restrictions for
patients treated by the same
workforce members too complex for the staff to
respect all of them.
.
When patients ask for restrictions that cannot be
agreed to, the covered entity should,
when possible, refer them to a facility that can honor
the restriction.
.
Examine existing programs for providing aliases for
patients for use in complying with
this provision.
PRIV.15 Uses and disclosures of de-identified
protected health information
§ 164.502(d)
PRIV.16 Disclosures to business associates
§
164.502(e)
Category I Guidelines-Actions must be taken to
address these
.
Covered entities must create and manage the
contractual requirements as provided in this
section.
Category II Guidelines-Actions should be taken to
address these
.
To improve efficiency, consider using terms that
standardize the operational requirements
on the covered entity and on its business associates.
.
Consider encouraging the business associate
community to use standard terms so it will
have standardized operational requirements with all
of the covered entities with which it
contracts.
.
Engage in a systematic process of review,
amendment (or creation), and negotiation of
contracts well before the effective date of the
regulations.
PRIV.17 Deceased individuals
§ 164.502(f)
PRIV.18 Personal representatives
§ 164.502(g)
Category I Guidelines-Actions must be taken to
address these
.
Develop policy and procedures for determining
who qualifies as a personal
representative.
Category II Guidelines-Actions should be taken to
address these
.
The designated personal representative should be
explicitly documented.
.
The designated personal representative should be
educated on his or her rights and
responsibilities.
PRIV.19 Confidential communications
§
164.502(h)
PRIV.20 Uses and disclosures consistent with
Page 9
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
notice
§ 164.502(i)
Category I Guidelines-Actions must be taken to
address these
.
Ensure that the covered entity's privacy practices
with respect to use and disclosure of
protected health information are consistent with its
notices of privacy practices.
Category II Guidelines-Actions should be taken to
address these
.
Consider developing and implementing measures to
determine how well practice
conforms to the notice (e.g. surveys, counts of
complaints of deviation).
PRIV.21 Disclosures by whistleblowers and
workforce member crime victims
§ 164.502(j)
Category I Guidelines-Actions must be taken to
address these
.
Covered entities are not required to do anything to
comply with this portion of the
regulation other than to be aware that such conditions
exist and are defined in the
regulation.
Category II Guidelines-Actions should be taken to
address these
.
Create or bolster internal reporting and compliance
programs so as to reduce the need for
whistleblower disclosures.
.
Ensure that it is practical for workforce members
who are crime victims to limit their
disclosures to law enforcement to the items listed in
the regulation.
.
When making disclosures under this section, note
that the disclosure is made pursuant to
this section.
PRIV.22 Use and disclosure for facility directories
§ 164.510(a)
Category I Guidelines-Actions must be taken to
address these
.
Limit protected health information in patient
directories to name, location in facility,
general statement of condition, and religious
affiliation.
.
Limit disclosure of religious affiliation to members
of the clergy only.
.
Limit other disclosures of protected health
information in patient directories to persons
who ask for individuals by name.
.
Provide individuals with an opportunity to restrict
or prohibit the use of some or all of
their protected health information in patient
directories unless they are unable to
communicate their preferences due to emergency
circumstances or incapacity.
Category II Guidelines-Actions should be taken to
address these
.
Establish policies and procedures for authenticating
members of the clergy.
.
Establish mechanisms that ensure patients'
conditions are appropriately described.
.
Consider the meaning of the term "impracticable"
as used here. It is generally taken to
be a stronger standard than "impractical."
.
Consider routing some inquiries to personnel who
have been specially trained to handle
sensitive cases.
Page 10
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
PRIV.23 Uses and disclosures for involvement in
the individual's care and notification
purposes
§ 164.510(b)
Category I Guidelines-Actions must be taken to
address these
.
Develop and implement policies and procedures
that help ensure appropriate and correct
use and disclosure under this section.
Category II Guidelines-Actions should be taken to
address these
.
Develop and implement policies and procedures
that help ensure that disclosures under
this section are not made to inappropriate persons.
PRIV.24 Uses and disclosures of protected health
information for marketing
§ 164.514(e)(1)
Category I Guidelines-Actions must be taken to
address these
.
For health related products:
_
Identify the covered entity in the marketing
communication.
_
If the covered entity receives direct or indirect
remuneration, state that fact
prominently in the communication.
_
Except for newsletters and the like, offer
individuals the opportunity to opt out of
future such communications.
_
Maintain a record of the disclosures.
Category II Guidelines-Actions should be taken to
address these
.
Have a central method to manage opt-outs.
PRIV.25 Uses and disclosures for fundraising
§
164.514(f)(1)
Category I Guidelines-Actions must be taken to
address these if fundraising is pursued:
.
Include an opt-out method.
.
Make reasonable efforts to ensure that opt-outs are
honored across the covered entity.
.
Maintain a record of disclosures.
.
Include a statement in privacy notice if patient
information will be used to target patients
for receipt of fundraising materials.
Category II Guidelines-Actions should be taken to
address these
.
Review the notice of privacy policy to determine
whether it permits the use of other
protected health information for fundraising.
PRIV.26 Uses and disclosures for underwriting
and related purposes
§ 164.514(g)
Category I Guidelines-Actions must be taken to
address these
.
Develop policies and procedures to limit the use or
disclosure of protected health
information received as part of an unsuccessful
application process for health insurance
or other health benefits to only that required by law.
Category II Guidelines-Actions should be taken to
address these
None.
PRIV.27 Uses and disclosures required by law
§
Page 11
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
164.512(a)
Category I Guidelines-Actions must be taken to
address these
.
Establish mechanisms to appropriately limit uses
and disclosures required by law.
.
Determine the legal relation of the requirements
under this section to stricter state laws.
Category II Guidelines-Actions should be taken to
address these
.
Establish procedures for authenticating requests for
disclosure of protected health
information that is required or permitted under this
section.
.
Consider checklists in addition to narrative
descriptions of reporting requirements to
assist staff in avoiding errors in reporting.
.
Involve legal staff and other knowledgeable
individuals to ensure appropriate reporting.
.
Maintain records of all disclosures under this
section and the statutory rationale for each.
PRIV.28 Uses and disclosures for public health
activities
§ 164.512(b)
Category I Guidelines-Actions must be taken to
address these
.
Develop and implement policies and procedures to
ensure that the above reporting
requirements are met.
Category II Guidelines-Actions should be taken to
address these
.
Establish procedures for authenticating requests for
disclosure of protected health
information that is required or permitted under this
section.
.
Consider checklists in addition to narrative
descriptions of reporting requirements to
assist staff in avoiding errors in reporting.
.
Involve legal staff and other knowledgeable
individuals to ensure appropriate reporting.
.
Maintain records of all disclosures under this
section and the regulatory rationale for
each.
PRIV.29 Disclosures about victims of abuse,
neglect, or domestic violence
§ 164.512(c)
Category I Guidelines-Actions must be taken to
address these
.
Develop and implement detailed policies,
procedures, and mechanisms for permitted
reporting.
.
Develop a process for informing the individual
about public health reports, making the
report, and deciding whether or not to inform the
individual.
Category II Guidelines-Actions should be taken to
address these
.
Establish procedures for authenticating requests for
disclosure of protected health
information that is required or permitted under this
section.
.
Consider flow charts in addition to narrative
descriptions of reporting requirements to
assist staff in avoiding errors in reporting.
.
Involve legal staff and other knowledgeable
individuals to ensure appropriate reporting.
.
Document the fact that the report was made or that
a decision was made not to report.
Page 12
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
.
Determine for your organization who will
determine that a reportable event has occurred.
PRIV.30 Uses and disclosures for health oversight
activities
§ 164.512(d)
Category I Guidelines-Actions must be taken to
address these:
.
Develop and document a policy and process
compliant with the requirements of this
section for the disclosure of protected health
information for health oversight activities.
.
Maintain a record of disclosures for health
oversight activities; section § 164.528 implies
the need to be able to provide a record of these
disclosures as part of the disclosure
history that entities must provide to individuals on
request.
Category II Guidelines-Actions should be taken to
address these
.
Establish procedures for authenticating requests for
disclosure of protected health
information that is required or permitted under this
section.
.
Document all disclosures and the rationale for
health oversight activities.
PRIV.31 Disclosures for judicial and
administrative proceedings
§ 164.512(e)
Category I Guidelines-Actions must be taken to
address these
.
Develop and document a policy and process
compliant with the requirements of this
section for the disclosure of protected health
information for judicial and administrative
proceedings.
.
Maintain a record of disclosures for judicial and
administrative proceedings; § 164.528
implies the need to have a record of these disclosures
as part of the disclosure history that
entities must provide to individuals on request.
Category II Guidelines-Actions should be taken to
address these
.
Establish procedures for authenticating requests for
disclosure of protected health
information that is required or permitted under this
section.
.
Document all disclosures for judicial and
administrative proceedings.
.
Request either return of the disclosed protected
health information or assurance that the
protected health information has been destroyed.
PRIV.32 Disclosures for law enforcement
purposes
§ 164.512(f)
Category I Guidelines-Actions must be taken to
address these
.
Develop policies and processes compliant with the
requirements of this section for
releasing protected health information to law
enforcement agencies.
.
Maintain a record of disclosures for law
enforcement purposes; § 164.528 implies the
need to have a record of these disclosures as part of
the disclosure history that entities
must provide to individuals on request.
.
Determine if de-identified information would be
adequate prior to making any disclosure.
Page 13
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
Category II Guidelines-Actions should be taken to
address these
.
Establish procedures for authenticating requests for
disclosure of protected health
information that is required or permitted under this
section.
.
Request law enforcement agencies to return
disclosed protected health information or
report that the protected health information has been
destroyed.
.
Require law enforcement agencies to sign an
agreement that they will follow standards to
safeguard the disclosed protected health information.
PRIV.33 Uses and disclosures about decedents
§
164.512(g)
Category I Guidelines-Actions must be taken to
address these
.
Develop policies and procedures for determining
what information should be released to
whom it should be released, as well as how such
releases should be documented.
Category II Guidelines-Actions should be taken to
address these
.
Establish procedures for authenticating requests for
disclosure of protected health
information that is required or permitted under this
section.
.
Develop a list of the minimum necessary protected
health information to disclose to
funeral directors.
PRIV.34 Uses and disclosures for cadaveric
organ, eye, or tissue donation purposes
§ 164.512(h)
Category I Guidelines-Actions must be
taken to address these
.
Develop policies and procedures on how protected
health information will be disclosed
for the purpose of cadaveric tissue donation.
Category II Guidelines-Actions should be taken to
address these
.
Determine if minimum necessary disclosure is
appropriate for procurement, banking, and
transport resources purposes since the scope of their
involvement may be limited.
.
The actual transport team should be considered as
the treatment team for whom the
complete disclosure of protected health information
is appropriate.
PRIV.35 Uses and disclosures for research
purposes
§ 164.512(i)
Category I Guidelines-Actions must be taken to
address these
.
Ensure that the IRB or Privacy Board reviews
relevant research proposals before
researchers can obtain any protected health
information.
.
Provide training and funding to the IRB or Privacy
Board so it can perform these duties.
Category II Guidelines ­ Areas where policies
should be considered
.
Update the IRB processes and documentation to
reflect these new requirements.
.
For research planning, consider using de-identified
protected health information at the
Page 14
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
earliest opportunity in the data gathering cycle.
PRIV.36 Uses and disclosures to avert a serious
threat to health or safety
§ 164.512(j)
Category I Guidelines-Actions must be taken to
address these
.
Develop policies and procedures on how protected
health information can be disclosed to
avert a serious threat to health and safety.
Category II Guidelines-Actions should be taken to
address these
None.
PRIV.37 Uses and disclosures for specialized
government functions
§ 164.512(k)
Category I Guidelines-Actions must be taken to
address these
.
Develop policies and procedures for the use and
disclosure of protected health
information for specialized government functions.
Category II Guidelines-Actions should be taken to
address these
.
Establish procedures for authenticating requests for
disclosure of protected health
information that is required or permitted under this
section.
.
Ensure that written and approved procedures are in
place and available to all personnel
associated with these agencies.
.
Collaborate with specialized government agencies
for effective transmission, use, and
disclosure of protected health information.
PRIV.38 Disclosures for workers' compensation
§
164.512(l)
Category I Guidelines-Actions must be taken to
address these
.
Develop a process and procedure for disclosure of
the minimum necessary protected
health information when it is requested by an
authorized compensation agency.
Category II Guidelines-Actions should be taken to
address these
.
Establish procedures for authenticating requests for
disclosure of protected health
information that is required or permitted under this
section.
.
Confirm the existence of written policies and
procedures that delineate responsibility and
that identify that consent or authorization are not
required when protected health
information is disclosed to a lawful compensation
agency.
.
Communicate the covered entity's understanding of
the standard to associated workers'
compensation agencies.
PRIV.39 Minimum necessary
§ 164.502(b)
Category I Guidelines-Actions must be taken to
address these
.
Create and implement policies that identify and
manage uses and disclosure of protected
health information to which the minimum necessary
standard does and does not apply.
Category II Guidelines-Actions should be taken to
address these
Page 15
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
.
Routinely monitor procedures and practices related
to managing the minimum necessary
standard for effectiveness.
.
Use technology, where appropriate, to restrict the
flow of protected health information
and to manage an accounting of what protected
health information is shared with covered
entities.
.
Ensure that the right balance is struck between
making protected health information
needed for care available and ensuring that
inappropriate access is inhibited.
PRIV.40 De-identification of protected health
information
§ 164.514
(a)
Category I Guidelines-Actions must be taken to
address these
.
Develop and implement policies, procedures,
organizational structures, and processes for
determining when and how to de-identify protected
health information.
Category II Guidelines-Actions should be taken to
address these
.
Develop methods for monitoring the efficacy of de-
identification strategies and for
remedying failures to adequately de-identify.
.
Be aware of and make use of "more advanced
statistical techniques."
.
Consider how to qualify people to do disclosure
analysis.
PRIV.41 Minimum necessary requirements
§
164.514(d)(1)
Category I Guidelines-Actions must be taken to
address these
.
Identify appropriate persons to determine what
protected health information should be
used, disclosed, and requested consistent with the
minimum necessary standard.
.
Ensure that the persons identified under paragraph
(b)(2)(i) of this section make the
minimum necessary determinations, when required.
.
Within the limits of the covered entity's
technological capabilities, provide for the
making of such determinations individually.
.
Define and implement only reasonable policies; the
regulations don't require entities to
accept unreasonable cost or disruption in pursuit of
this objective.
Category II Guidelines-Actions should be taken to
address these
.
Develop and implement policies and procedures for
uses and disclosures that are covered
in the various other subsections on uses and
disclosures. Key articles are:
_
§ 164.508(a)(1) deals with authorizations for use or
disclosure initiated by the
affected individual.
_
§ 164.514 deals with access of individuals to their
own protected health information,
but only mentions copying costs for records.
_
§ 164.522 is a section entitled "Rights to request
privacy protection for protected
health information."
_
§ 164.510 describes uses and disclosures permitted
without individual authorization.
Subsections are devoted to: public health; health
oversight; judicial proceedings;
coroners and medical examiners; law enforcement;
government health data systems;
directories; payment; research; emergencies; next-of-
Page 16
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
kin; other disclosures required
by law; application to specialized classes (DOD, VA,
other government workers).
PRIV.42 Verification requirements
§
164.514(h)(1)
Category I Guidelines-Actions must be taken to
address these
.
Develop policies and procedures for verifying
identity and authority of requestors:
_
Obtain representation or documentation of purpose
from any person requesting
protected health information under this regulation;
_
Verify the identity of persons requesting protected
health information before giving
them access;
_
Confirm that persons acting on behalf of a public
official have appropriate statements
on official letterhead before providing them with
protected health information;
_
Establish a policy that legal authority is presumed
when a request is made relative to
a legal proceeding, warrant, subpoena, or order;
_
Develop a formal process to authorize disclosure in
the absence of a written
verification;
_
Make good faith efforts to identify the people
requesting disclosure and the
circumstances of disclosure as provided in this
section.
Category II Guidelines-Actions should be taken to
address these
.
Develop policies that clearly define what sources of
identification and what documents of
authority can be used to verify permission for
disclosure.
.
Provide comprehensive guidelines and back-up
resources to assist with questions of
verification.
.
When protected health information is released to a
legal authority without valid consent,
send a cover letter with the material containing a
reminder to the recipients that the
information is of a sensitive nature and must be
handled as such. Retain a copy of the
letter for the record.
.
Consider existing processes for disclosure under
this section in concert with verifications
for parties to whom protected health information is
disclosed.
.
Brief frequent requestors of information on the
procedural changes required under this
standard.
PRIV.43 Notice of privacy practices
§ 164.520(a)
Category I Guidelines-Actions must be taken to
address these
.
Develop a policy and procedure to ensure that the
required notices are implemented.
.
Notices must have all the elements specifically
required by the regulations, and comply
with the provision requirements.
.
Covered entities that maintain a customer service or
benefits web site must post their
notices on the web site and make the notice available
electronically.
.
If the entity makes a material change to the notice,
the changed notice must be publicized
within a specific timeframe specified.
Category II Guidelines-Actions should be taken to
Page 17
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
address these
.
Include a brief, easy-to-read description of the key
elements of the notice with the
detailed version, to enhance patients' understanding.
.
Consider incorporating privacy practices into a
covered entity's "patient rights" literature
and process in order to minimize the expense and
inconvenience to both patient and
entity and optimize its informational impact.
.
Consider developing a means of accounting for the
delivery of this notice as the covered
entity delivers it.
PRIV.44 Confidential communications
requirements
§ 164.522(b)(1)
Category I Guidelines-Actions must be taken to
address these
.
Provide a way for patients or plan members to
request alternative means of
communication, and accommodate such requests if
there is a reasonable way to do so.
.
Establish a procedure so all workforce members
who are engaging in communications
with a patient who has requested and received an
agreement to use alternate means of
communication are aware of the need to use those
channels.
Category II Guidelines-Actions should be taken to
address these
.
Consider creating a limited set of alternative
communications models and offering these
models to patients or plan members requesting
alternative means.
.
Consider establishing a referral program for
patients whose communications needs the
covered entity cannot reasonably accommodate.
.
Create a method of review to determine the
effectiveness of alternative means of
communication.
.
Consult legal staff about what constitutes a
reasonable request.
PRIV.45 Access to protected health information
§
164.524(a)
Category I Guidelines-Actions must be taken to
address these
.
Develop and document policies and processes to
receive and act upon an individual's
request to access, inspect, and receive a copy of his
or her protected health information,
including the denial of such requests.
.
Respond to requests within the timeframe specified
in the regulation.
Category II Guidelines-Actions should be taken to
address these
.
Develop processes to release required protected
health information to requestors.
.
Develop legally defensible grounds for denials.
.
Develop processes to review denial of requests.
.
Develop processes to allow for access and appeal of
decisions made by the AMC.
.
Identify the authority to release protected health
information and process denials and
appeals.
.
Consider including a temporary suspension of the
patient's right of access to research
records in research consent forms.
Page 18
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
.
Have the privacy official develop and maintain an
inventory of the kinds of data the
institution keeps about individuals
PRIV.46 Right to amend
§ 164.526(a)
Category I Guidelines-Actions must be taken to
address these
.
Develop and document policies and processes to
receive and act upon an individual's
request to amend their protected health information,
including the denial of such requests.
.
Respond to requests within the timeframe specified
in the regulation.
Category II Guidelines-Actions should be taken to
address these
.
Consider the provision of resources to assist
patients with record reviews.
.
Have the privacy official identify processes for
retrieving protected health information
about individuals pursuant to their request to revise
that information.
.
Have the privacy official define a process for
evaluating, and accepting or rejecting,
requests for correction and implementing corrections.
.
Consider how to deal with the amendment process
for paper and electronic records
(including requests for removal of a record).
.
Should have a procedure well documented so that it
can be executed by workforce
members who are unfamiliar with it who do not do it
very often.
.
Consider date-stamping requests.
PRIV.47 Right to an accounting of disclosures of
protected health information
§ 164.528(a)
Category I Guidelines-Actions must be taken to
address these
.
Establish policies and procedures to ensure that
disclosure records are retained.
.
Maintain a record of all individuals requesting
reports of disclosure and the disposition of
those requests.
.
On a case-by-case basis, determine whether
disclosures must, may, or must not be
reported.
.
Establish a process to ensure that all covered
disclosures are reported in a timely period.
.
If an extension of the time limit is needed, ensure
that the individual is notified of the
delay as required by the regulation, and that the
extension does not exceed permissible
limits.
Category II Guidelines-Actions should be taken to
address these
.
Provide a system to audit access control with the
ability to report all accesses of a patients
record.
.
Publish the covered entity's fair information
policy.
.
Establish incident procedures that include reporting
and response procedures.
.
Maintain a list of those who access a record.
.
Respond to requests within the timeframe specified
in the regulation.
.
Determine if the covered entity will charge for
these reports and, if so, establish a basis
for all such charges.
Page 19
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
PRIV.48 Privacy Official
§ 164.530(a)(1)(i)
Category I Guidelines-Actions must be taken to
address these
.
Select a single individual to serve as the privacy
official for each covered entity.
.
Designate one privacy official for covered entities
that consist of several subsidiaries
pursuant to § 164.504(b).
.
Maintain a written or electronic record of privacy
official designation(s)
.
Category II Guidelines-Actions should be taken to
address these
.
Create a job description for the privacy official
defining the position's role,
responsibilities, and reporting relationship(s).
.
The privacy official:
_
Should work with a committee representing several
different components of the
covered entity to develop and implement the privacy
policy; and
PRIV.49 Privacy Contact Person or Office
§
164.530(a)(1)(ii)
Category I Guidelines-Actions must be taken to
address these
.
Designate an individual or an office to receive
complaints and provide information about
matters covered by the covered entity's Notice of
Privacy Practices (§ 164.520).
.
Add the contact information to the covered entity's
Notice of Privacy Practices.
.
Maintain a written or electronic record of this
personnel designation.
Category II Guidelines-Actions should be taken to
address these
.
Establish a reporting structure and process to
involve persons with appropriate authority
to investigate and track complaints.
.
Ensure that the process of responding to complaints
is done in a way that is consistent
with good public relations practices as well as good
privacy policy.
.
Consider adding the reporting responsibility to an
existing function or office.
PRIV.50 Training on Privacy
§ 164.530(b)(1)
Category I Guidelines-Actions must be taken to
address these
.
Train workforce members on privacy policy and
procedure prior to the effective date of
the privacy regulations.
.
Thereafter, train new workforce members
reasonably soon after they join the covered
entity.
.
When significant changes in policy and/or
procedure occur, train the affected workforce
members as soon as possible after such changes.
.
Document the training in written or electronic form
and retain the records for at least six
years.
Category II Guidelines-Actions should be taken to
address these
.
Consider providing forms of training that help the
trainee relate the policy to how they
are to behave in their working environment.
Page 20
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
.
Consider including training on how to report a
privacy problem.
.
Consider "refresher" courses and periodic
reminders for workforce members about
privacy policy.
.
Consider competency tests to evaluate training
effectiveness.
PRIV.51 Safeguards
§ 164.530(c)(1)
Category I Guidelines-Actions must be taken to
address these
.
A covered entity must establish administrative,
technical, and physical safeguards to
protect the privacy of protected health information
from unauthorized use or disclosure.
These safeguards must be appropriate and
reasonable.
Category II Guidelines-Actions should be taken to
address these
.
Engage in a risk analysis (as the proposed Security
regulations require) and create and
implement a risk management plan for both
electronic and non-electronic information
assets.
.
Have the privacy official consult on safeguard
requirements with the security officer and
others responsible for information practices.
.
Ensure that security and privacy officials have the
authority necessary to implement
effective safeguards.
.
Have the privacy official create a list of reasonably
anticipated threats and hazards to
privacy of protected health information and
unauthorized uses or disclosures.
.
Be aware that many areas of section (g) address
specific parts of the safeguards (training,
complaints, sanctions, etc.) and consult those
sections for details.
PRIV.52 Complaints to the covered entity
§
164.530(d)(1)
Category I Guidelines-Actions must be taken to
address these
.
Identify a contact person or office to receive
complaints about policies and procedures
and compliance with them.
.
Maintain a record of complaints and brief
explanations of their resolution.
Category II Guidelines-Actions should be taken to
address these
.
Determine whether the person or office identified to
receive complaints will handle them
personally or triage them for handling by others.
.
Determine timeframes and protocols for handling
and reporting complaints.
.
Use complaints as evaluative and improvement
tools where appropriate.
.
Determine who will access complaint information
and for what purposes.
.
Specify a method to track complaints.
.
Report periodically on resolutions of complaints.
.
Coordinate this requirement with the covered
entity's Patient Rights policy.
PRIV.53 Sanctions
§ 164.530(e)(1)
Page 21
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
Category I Guidelines-Actions must be taken to
address these
.
Develop sanctions against workforce members who
fail to comply with the covered
entity's privacy policy.
.
Charge an individual or group to review policy and
procedural violations and specify
corrective and/or disciplinary action.
.
Apply disciplinary action as necessary and
appropriate.
.
Document corrective and disciplinary action taken.
Category II Guidelines-Actions should be taken to
address these
.
Make sanctions progressive and commensurate with
the severity, frequency, and intent of
violations.
.
Apply sanctions equitably without regard to an
offender's role or position within the
covered entity.
.
Include termination of employment or contract
relationship and/or criminal prosecution
as possible sanctions.
.
Include provision for sanctions in contract and labor
agreements.
.
Coordinate sanctions with the covered entity's
human resources department.
.
Consider establishing progressive sanctions, such as
verbal warning, written warning, up
to termination, and determine when progressive
sanctions are appropriate.
.
Make workforce members aware of the sanction
procedures.
PRIV.54 Mitigation
§ 164.530(f)
Category I Guidelines-Actions must be taken to
address these
.
Minimize harmful effects resulting from
unauthorized use or disclosure of protected
health information by:
_
Containing the damage and stopping further
compromise; and
_
Informing those responsible for the policy or
procedural breach to prevent future
actions that would have harmful effects.
Category II Guidelines-Actions should be taken to
address these
.
Consider whether inappropriate use or disclosure
may in itself constitute a harmful effect.
(This is a legal issue. See Comments.)
.
Consider notifying individuals if misuse or
inappropriate disclosure of their protected
health information will likely lead to a harmful
effect.
.
Include contract language to transfer the potential
financial burden of harm to business
associates.
PRIV.55 Refraining from intimidating or
retaliatory acts
§ 164.530(g)
Category I Guidelines-Actions must be taken to
address these
.
Establish policies and procedures that prohibit
intimidation, threats, coercion,
discrimination, or retaliatory action against
individuals who exercise their rights under
this act.
Category II Guidelines-Actions should be taken to
address these
Page 22
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
.
Communicate the non-retaliation policy through
related policies and programs (e.g.
Standards of Conduct, Mutual Respect, and/or the
Integrity Program).
.
Consider reporting mechanisms that protect
complainers against retaliation (e.g.,
removing complainants' identifying information
from complaint reports).
.
Coordinate with human resources and labor
relations representatives.
PRIV.56 Waiver of rights
§ 164.530(h)
Category I Guidelines-Actions must be taken to
address these
.
Do not require individuals to waive their rights to
file a complaint or their other rights
under the privacy standards as a condition of
treatment, payment, and enrollment in a
health plan or eligibility for benefits.
Category II Guidelines-Actions should be taken to
address these
.
Consider not putting waivers of rights on consent
forms.
.
Covered entities should not ask patients to waive
their privacy rights.
PRIV.57 Policies and procedures
§ 164.530(i)(1)
Category I Guidelines-Actions must be taken to
address these
.
Implement a reasonable policy/procedure set given
the covered entity's size and type of
operations. (Group health plans that operate as
described in §164.530(k) need not
conform to this requirement.)
Category II Guidelines-Actions should be taken to
address these
.
Formally determine how the covered entity's size
and type affect its required
policy/procedure creation and implementation
process.
PRIV.58 Changes to policies or procedures
§
164.530(i)(2)
Category I Guidelines-Actions must be taken to
address these
.
Change policies and procedures when changes to
law or regulations require it.
.
If the privacy notice provides for changes, change it
when policies that affect it change.
The new notice will either cover all protected health
information, or only new
information, depending on whether the prior notice
reserved the right to change.
.
Document the policy and procedure change process,
either in writing or electronically.
Category II Guidelines-Actions should be taken to
address these
.
Consider reserving the right to change privacy
policy in the privacy notice.
.
Consider the logistics and communications issues
of changes when crafting privacy
policies and notices-to employees as well as
patients.
.
Determine how covered entity size, complexity, and
type affect the policy/procedure
creation and implementation process.
Page 23
AMC HIPAA Privacy Guidelines
Category I and II Guidelines
PRIV.59 Documentation §
164.530(j)
Category I Guidelines-Actions must be taken to
address these.
.
Document privacy policies and procedures in
written or electronic form.
.
Document required communications, designations,
actions, and activities.
.
Record date of creation and last date of
effectiveness of documents.
.
Maintain required documentation for six years from
date of creation or the date when the
policy or procedure was last in effect, whichever is
later.
Category II Guidelines-Actions should be taken to
address these.
.
Promulgate the policy on documentation from the
highest organizational level.
.
Clearly delineate responsibility for documentation
of policies and procedures.
.
Specify the rescission and review dates for
documentation.
.
Centralize retention of policy and procedure
documentation.
.
Communicate to managers that a lack of
documentation may be interpreted as failure of
compliance.
.
Organize documentation in such a way that it can
be identified when necessary.
.
Centralize and standardize documentation across
the organization so that it is easily
accessible.