The HIPAA Administrative Requirements - specifically HIPAA Privacy §164.530 outline in detail various broad-based measures required to be in place by covered entities (and at times, business associates), such as the following:
- Personnel Designations: A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.
- Workforce Training: A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information. More specifically, a covered entity must provide training that meets the requirements in the following manner: (A) no later than the compliance date for the covered entity. (B) Within a reasonable period of time after the person joins the covered entity's workforce. (c) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures. Additionally, a covered entity must document that the training has been provided, as required.
- Safeguards: A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. Additionally, a covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure. Moreover, a covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures.
- Complaints: A covered entity must provide a process for individuals to make complaints concerning the covered entity's policies and procedures.
- Sanctions: A covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity.
- Mitigation: A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures.
- Waiver of Rights: A covered entity may not require individuals to waive their rights under § 160.306 of this subchapter.
- Policies and Procedures: A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements. Additionally, a covered entity must change its policies and procedures as necessary and appropriate to comply with changes in the law.
- Changes in Law: Whenever there is a change in law that necessitates a change to the covered entity's policies or procedures, the covered entity must promptly document and implement the revised policy or procedure.
- Changes to Privacy Practices: To implement a change, a covered entity must:
- Ensure that the policy or procedure, as revised to reflect a change in the covered entity's privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications.
- (B) Document the policy or procedure.
- (C) Revise the notice as required by § 164.520(b)(3) to state the changed practice and make the revised notice available as required by § 164.520(c).
- Group Health Plans: A Group Health Plan that provides all health benefits through issuer or HMO and does not create or receive PHI other than summary health information or enrollment/disenrollment information is NOT subject to the requirements of this section except, the following:
- Prohibiting waiver of rights,
- Prohibiting retaliation and intimidation and
- Documenting plan amendments
Download HIPAA Policies and Compliance Toolkits Today
hipaapoliciesandprocedures.com also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.