Disclaimer:
The information provided in this document does not constitute, and is no substitute for, legal or other professional advice. Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns.
HIPAA Privacy and Security Compliance Criteria
This document contains a summary of the HIPAA compliance criteria addressed by the PrivaPlan™ HIPAA Privacy and Security Compliance Resource Kit. The criterion identifier indicates the section of the regulation in which the regulatory text that relates to the criterion can be found. All criteria are taken from a review of Title 45 of the Code of Federal Regulations. The regulatory text relating to the “164.502(a)” criterion, for example, can be found in Title 45 of the Code of Federal Regulations, Part 164, section 502, paragraph (a).
IMPORTANT NOTE: The descriptive text following the criterion identifier in this document presents only a general picture of the criterion. Complying with this descriptive text may not be sufficient to meet HIPAA requirements. To meet the compliance criterion it is necessary to read and understand the regulatory text itself. For your convenience, formatted copies of the HIPAA privacy and security regulations can be found in the PrivaPlan HIPAA Reference Material folder. Each identifier is hyperlinked to the appropriate section of the HIPAA privacy or security regulation. (Be careful not to move or rename any resource kit documents. Moving or renaming documents could cause the hyperlinks not to work.)
PROHIBITED DISCLOSURES
Basic Privacy Protection
164.502(a): A covered entity may not use or disclose protected health information except as provided in the HIPAA privacy rule. Those provisions include uses and disclosures to the individual (patient or health plan member) himself or herself; for treatment, payment or health care operations; as authorized by the individual; for research, public health or health care operations in the form of limited data sets; for listings in facility directories or disclosures to those involved in the individual’s care provided that the individual does not object; to business associates; as required by law for health oversight activities, compliance investigations or other public purposes.
Deceased Individuals
164.502(f): HIPAA privacy protections include protection of information that pertains to a deceased individual.
Consistency with Notice
164.502(i): A covered entity may not use or disclose protected health information in a manner that is inconsistent with its notice of information practices.
Physician-Patient Privilege
164.512(j)(2): A covered entity may not disclose protected health information to reduce the possibility of harm caused by a criminal act if the information is obtained as part of treatment to reduce the propensity to commit the criminal conduct.
Underwriting Disclosures
164.514(g): A health plan that receives protected health information for the purposes of underwriting; premium rating, etc. may not use or disclose this information for any other purpose.
Access Locked by Agency or Official
164.528(a)(2)(i): If a health oversight agency or law enforcement official provides a written statement that an accounting of the disclosures a covered entity made to such agency or official about an individual (patient or health plan member) would interfere with official business, then the covered entity must temporarily suspend the individual’s right to receive an accounting of those disclosures for the duration specified by the agency or official.
DISCLOSURES REQUIRING OPPORTUNITY TO AGREE OR OBJECT
Listings in Facility Directories
164.510(a)(2): A covered entity must advise an individual (patient) of protected health information relating to them that may be listed in a facility directory (of an inpatient or residential institution) and provide the individual with the ability to object, except in emergencies or if the individual is incapacitated.
164.510(a)(1)(i): A facility directory may contain certain information only. (Name, location, general condition, religious affiliation).
164.510(a)(1)(ii)(A): A covered entity may disclose religious affiliation only to members of the clergy.
164.510(a)(1)(ii)(B): A covered entity may disclose facility directory information only to persons who ask for the individual by name with certain exceptions. (Members of the clergy).
Disclosures to Persons Involved with the Individual
164.510(b): A covered entity must provide the individual with an opportunity to object prior to revealing protected health information to family, friends, or others involved with the care of the individual (patient).
164.510(b)(3): If a covered entity exercises professional judgment to disclose information to a person involved in the individual’s care when the individual is not present, then the covered entity may disclose only the protected health information directly relevant to the person’s involvement with the individual’s care.
DISCLOSURES FOR TREATMENT, PAYMENT, OR HEALTH CARE OPERATIONS (TPO)
Health Care Operations Disclosures
164.506(c)(4): A covered entity may disclose protected health information to another covered entity only under certain conditions. (Each entity must have had a relationship with the individual; the information disclosed must pertain to that relationship, etc.)
Restrictions on Use and Disclosure for Treatment, Payment, Health Care Operations
164.522(a)(1)(i): A covered entity must permit an individual (patient or health plan member) to request restriction of uses and disclosures of protected health information for treatment, payment or health care operations or to family, friends, or others involved in the health care of the individual. The covered entity is not required to agree to the requested restriction.
164.502(c): If a covered entity agrees to a restriction on the use of protected health information, the covered entity is bound by that restriction, except in emergency situations.
164.522(a)(2): A covered entity may terminate its agreement to a restriction request only under certain circumstances. (The individual agrees, termination applies only to information collected after the termination, etc.).
DISCLOSURES REQUIRING AUTHORIZATION
Disclosures Must be Consistent with Authorizations
164.508(a)(1): When a covered entity uses or discloses protected health information for a purpose that requires authorization from the individual (patient or health plan member) it must use or disclose the information in a way that is consistent with the terms of the authorization.
Authorization Required for Disclosure of Psychotherapy Notes
164.508(a)(2): Authorization is required for any use or disclosure of psychotherapy notes, with certain exceptions. (Training purposes, use by the originator for treatment, to defend against legal actions.)
Mandatory Contents of Authorization
164.508(c): An authorization must have certain elements in it, for example it must be in plain language, it must describe the information to be used or disclosed, contain an expiration date or expiration event, etc.
.
164.508(a)(3)(ii): The authorization must state that remuneration is involved if the covered entity receives any form of payment from a third party due to any marketing activity allowed by the authorization.
Individual Retains a Copy of the Authorization
164.508(c)(4): If the covered entity seeks an authorization from an individual, the individual must be provided with a copy of the authorization.
Authorizations May be Defective
164.508(b)(2): A covered entity may not use or disclose protected health information pursuant to an authorization that is defective. Authorization is defective if it has expired; it is incomplete; it has been revoked; it is known to be false; it is part of a compound authorization; or treatment. payment, enrollment or eligibility has been conditioned on obtaining the individual’s signature.
Compound Authorizations Not Allowed
164.508(b)(3): An authorization may not be combined with another document to create a compound authorization with certain exceptions. (Multiple authorizations for the same research study or authorizations for the use or disclosure of psychotherapy notes.).
Revocation
164.508(b)(5): An individual may revoke an authorization at any time with certain exceptions. (The covered entity has taken action in reliance on the authorization, the authorization was obtained as a condition of obtaining insurance coverage, etc.).
MINIMUM NECESSARY DISCLOSURE
Disclosure Limitations
164.502(b): A covered entity is required to make reasonable efforts to limit the amount of protected health information used or disclosed to the minimum necessary to accomplish the purpose of the use or disclosure with certain exceptions (e.g. treatment, disclosures to the individual, required by law, required for compliance reviews, authorized by the individual, etc.).
164.512(j)(3): A covered entity that discloses information to law enforcement about an individual (patient or health plan member) who admits participation in a violent crime may reveal only the admission and certain specified information. (Name and address, social security number, date of birth, etc.).
164.514(d)(3)(i): A covered entity must implement policies and procedures for routine disclosures to limit the information disclosed to that needed to accomplish the purpose of the disclosure.
164.514(d)(3)(ii): A covered entity must develop criteria for non-routine disclosures to limit the information disclosed to the minimum necessary to accomplish the purpose of the disclosure. The covered entity must review non-routine requests for disclosure on an individual basis.
164.514(d)(5): A covered entity may not use, disclose or request an entire medical record unless the entire medical record is specifically justified as the amount of information needed to accomplish the purpose of the use, disclosure or request.
Minimum Necessary Requests for Disclosure
164.514(d)(4)(i): A covered entity must limit its own requests for protected health information to the minimum necessary to accomplish the purpose for which the request is made.
164.514(d)(4)(ii): A covered entity must establish policies and procedures to be used for its own routine requests for protected health information to ensure that it requests the minimum information needed to accomplish the intended purpose.
164.514(d)(4)(iii): A covered entity must develop criteria to limit each of its non-routine requests for information to the minimum information necessary to accomplish the purpose of the request. The entity must review each of its own non-routine requests for protected health information with respect to those criteria.
Minimum Necessary Access Privileges
164.514(d)(2): A covered entity must identify classes of persons who need access to protected health information to carry out their duties and must establish the levels of access needed by each. The covered entity must make reasonable efforts to limit access to the minimum information required to perform an assigned job function.
NOTICE
Individual’s Right to Notice
164.520(a)(1): A covered entity, with certain exceptions (e.g. correctional institutions and group health plans), must provide a notice of information practices.
164.520(a)(2)(ii): A group health plan that provides benefits through an insurance issuer or HMO and that creates or receives protected health information (in addition to summary information used for underwriting purposes) must maintain a notice of information practices and provide it to any person who requests it.
Timeliness
164.520(c)(1)(i): A health plan must provide notice no later than the compliance date for the health plan to individuals then covered by the plan, to new enrollees at the time of enrollment and to all individuals covered by the plan within 60 days of a material revision to the notice.
164.520(c)(1)(ii): A health plan must notify all individuals covered by the plan at least once every three years that the notice of information practices is available. The health plan must also advise them of how to obtain a copy of the notice of information practices.
164.520(c)(2)(i): A health care provider that has a direct treatment relationship with an individual (patient or health plan member) must provide notice of information practices no later than the date of the first service delivery following the compliance date for the provider or as soon as practicable after an emergency treatment situation.
Location of Notice
164.520(c)(2)(iii): A health care provider that maintains a physical service delivery site must have copies of the notice of information practices available that individuals may take with them. The provider must also post the notice where individuals seeking service may read it.
Notice of Revised Practices
164.520(c)(2)(iv): A health care provider must make a revised notice of information practices available on request on or after the effective date of the revision. If the covered entity maintains a physical service delivery site, it must promptly post the notice where patients may see it and make copies of the notice available.
Electronic Notice
164.520(c)(3)(i): A covered entity that maintains a web site that provides information about the entity’s services must post its notice of information practices on the web site.
164.520(c)(3)(ii): If a covered entity attempts to provide a notice of information practices electronically and knows that the transmission has failed, then the covered entity must provide a paper copy of the required notice of information practices.
164.520(c)(3)(iii): If the first service to an individual is delivered electronically, a copy of the notice of information practices must be delivered, and an attempt must be made to gain a written acknowledgement that it has been received, contemporaneously with and in response to the request for service.
164.520(c)(3)(iv): A covered entity must honor a request for a paper copy of the notice of information practices when the notice has previously been delivered electronically.
Mandatory Content of Notice
164.520(b): The notice of privacy practices that a covered entity provides must contain certain mandatory elements. (Heading, date, uses and disclosures of protected health information for treatment, payment, and health care operations, privacy rights of the individual, etc.).
Acknowledgement
164.520(c)(2)(ii): A covered entity must make a good faith effort to obtain a written acknowledgement of receipt of the notice except in an emergency situation and must document the efforts to obtain the acknowledgement if it cannot get the acknowledgement itself.
ACCESS
Individual’s Right to Access and Copy Protected Health Information
164.524(a)(1): A covered entity must grant access to protected health information to the individual (patient or health plan member) with certain exceptions (e.g. psychotherapy notes, trial evidence, etc.).
164.524(c)(1): A covered entity must provide access to protected health information to the individual in designated record sets (information used to make decisions about the individual).
164.524(c)(2)(i): A covered entity must provide access to protected health information to the individual (patient or health plan member) in the form requested by the individual, if it is readily producible in such form.
Denial of an Individual’s Request for Access
164.524(d)(1): If a covered entity denies an individual’s (patient or health plan member’s) request to access certain protected health information, the covered entity must allow access to all information for which the reason for the rejection does not apply.
164.524(d)(2): If a covered entity denies an individual’s request to access certain protected health information, the denial must be in writing and must contain: the basis for the denial; a statement of the individual’s rights; and a description of how the individual (patient or health plan member) may appeal the decision.
164.524(a)(4): If a covered entity has denied access to protected health information to the individual, the covered entity must allow review of the denial by a licensed health care professional (nominated by the covered entity) and must abide by the reviewer’s decision.
Miscellaneous Rules Governing Access by the Individual (Patient or Health Plan Member)
164.524(d)(3): If a covered entity does not maintain the protected health information requested by an individual (patient or health plan member), but knows where it is, the covered entity must inform the individual of where to direct the request.
164.524(b)(2)(i): A covered entity must act on a request for access to protected health information by the individual within 30 days, with certain exceptions (e.g. 60 days is allowed if the information is not on site, extensions may be possible, etc.).
164.524(c)(4): A covered entity may not charge fees for granting access to protected health information to the individual in excess of the cost of copying, postage and preparation of summaries or explanations.
AMENDMENT
Individual’s Right to Request Amendment
164.526(a)(1): A covered entity must honor an individual’s (patient or health plan member’s) request to amend incorrect or incomplete protected health information, with certain exceptions (e.g. the information is accurate as is, etc.).
Timeliness
164.526(b)(2)(i): A covered entity must act on an individual’s (patient or health plan member’s) request for amendment of protected health information within 60 days of the submission of the request. (The covered entity is entitled to one 30-day extension if it provides the individual with the reasons for the delay.)
Denial of Individual’s Request for Amendment
164.526(b)(2)(i)(B): A covered entity that denies a request for amendment of protected health information must notify the requestor in writing.
164.526(d): If a covered entity denies a request for amendment, the denial must have certain mandatory elements. (The basis for the denial, statement of the individual’s rights, etc.)
Acceptance of Request
164.526(c)(1): If a covered entity accepts a request for amendment of protected health information it must make the appropriate amendment or provide a link to the amendment in the designated record set.
164.526(c)(2): If a covered entity accepts a request for amendment of protected health information it must inform the individual (patient or health plan member) and obtain a list of persons with whom the amendment is to be shared.
164.526(c)(3): If a covered entity accepts a request for amendment of protected health information it must make reasonable efforts to provide the amendment to all persons identified by the individual (patient or health plan member). The covered entity must also inform business associates known to have a copy of the inaccurate or incomplete information.
Transitivity
164.526(e): A covered entity that is informed by another covered entity of an amendment to an individual’s health information must make the same amendment to its own copies of the information.
PERSONAL REPRESENTATIVES
Personal Representatives Have Rights to Access or Amend PHI
164.502(g)(1): A covered entity must treat a personal representative of an individual (patient or plan member) as the individual for the purposes of protecting health information concerning that individual, with certain exceptions (e.g. the covered entity believes that the individual is the victim of abuse).
164.502(g)(2): A covered entity must treat a person as a personal representative of an individual (adult or emancipated minor) if that person has the authority to act on behalf of the individual (as patient or health plan member) in making health care decisions.
Parents and Guardians are Personal Representatives
164.502(g)(3): A covered entity must treat a parent, guardian or person acting in loco parentis of an unemancipated minor as a personal representative of that minor, unless the minor may lawfully obtain the health care without parental consent. If the minor may lawfully obtain the health care without parental consent, then the covered entity must follow state law with respect to disclosures to parents, guardians and persons acting in loco parentis. If state law is unclear on this matter a licensed health care professional may exercise his or her professional judgment.
Executors are Personal Representatives
164.502(g)(4): A covered entity must treat a representative of a deceased person (e.g. executor, administrator, etc.) as a personal representative for the purposes of health information protection.
CONFIDENTIAL COMMUNICATIONS CHANNELS
Individual’s (Patient or Health Plan Member’s) Right to Request Alternate Communication Channels
164.522(b)(1)(i): A health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information by alternate means or at alternate locations.
164.522(b)(1)(ii): A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information by alternate means or at alternate locations if the individual clearly states that disclosure could endanger the individual.
ACCOUNTING OF DISCLOSURES
Individual’s Right to an Accounting of Disclosures
164.528(a)(1): A covered entity must provide an individual (patient or health plan member) with an accounting of disclosures of protected health information on request, with certain exceptions (e.g. treatment, payment or health care operations, etc.).
164.528(b): When a covered entity provides an accounting of disclosures, it must include certain mandatory elements. (Date, to whom the disclosure was made, description of information disclosed, purpose of disclosure.)
COMPLAINT PROCESS
Individual’s Right to Lodge a Complaint
164.530(d)(1): A covered entity must provide a process for individuals (patients or health plan members) to make complaints concerning the covered entity’s policies and procedures.
PROHIBITED ACTIVITIES
Intimidation
164.530(g): A covered entity may not engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations.
Conditioning
164.530(h): A covered entity may not require an individual to waive the right to file a complaint as a condition of the provision of treatment, payment, enrollment in a health plan or eligibility for benefits.
164.508(b)(4): A covered entity may not condition treatment, payment, enrollment or eligibility for benefits on the provision of an authorization to disclose protected health information by the individual (patient or health plan member), with certain exceptions (e.g. research-related treatment, etc.).
164.522(b)(2)(iii): A covered health care provider may not require an individual (patient) to explain their reasons for requesting communications be done in a confidential manner.
Employment-Related Disclosures
164.504(f)(3)(iv): A group health plan may not disclose protected health information to a plan sponsor for the purpose of employment-related actions.
SAFEGUARDS
Specific Actions Must be Taken to Implement HIPAA Regulations
164.530(c)(1): A covered entity must have in place appropriate administrative, technical and physical safeguards to protect the privacy of protected health information.
164.530(i)(1): A covered entity must implement policies and procedures with respect to protected health information to comply with all HIPAA standards.
164.530(i)(2): A covered entity must promptly change its policies and procedures to comply with changes in the law and document such changes.
MANAGEMENT CONTROLS
Security Policy
164.308(a)(1)(i): Each covered entity must implement policies and procedures to prevent, detect, contain and correct security violations.
164.530(e)(1): A covered entity must have and apply sanctions against members of the workforce who fail to comply with privacy policies and procedures.
164.308(a)(1)(ii)(C): Each covered entity must apply sanctions against workforce members who fail to comply with security policies and procedures. (Note: This is a required implementation specification.)
164.316(b)(2)(iii): Covered entities must review policy and procedure documentation on a regular basis and make changes as needed. (Note: This is a required implementation specification.)
Supervision
164.308(a)(3)(ii)(A): Each covered entity must implement procedures for the authorization or supervision of workforce members who work with electronic protected health information or in areas where electronic protected health information may be accessed. (NOTE: This is an addressable implementation specification.)
164.308(a)(3)(ii)(C): Each covered entity must implement procedures for terminating a workforce member’s access to electronic protected health information when appropriate. (NOTE: This is an addressable implementation specification.)
Personnel
164.308(a)(3)(ii)(B): Each covered entity must implement a workforce clearance procedure for employees who will be given access to electronic protected health information. (NOTE: This is an addressable implementation specification.)
Responsibility Assignment
164.308(a)(2): Each covered entity must designate an individual who is responsible for the development and implementation of security policies and procedures.
164.530(a)(1)(i): A covered entity must designate a privacy official who is responsible for development and implementation of privacy policies and procedures.
164.530(a)(1)(ii): A covered entity must designate a contact person responsible for receiving complaints.
Documented Policies and Procedures
164.316(a): Covered entities must implement reasonable and appropriate information security policies and procedures.
TRAINING
All Workforce Members to be Trained on Policies and Procedures
164.530(b)(1): A covered entity must train all members of its workforce on its policies and procedures with respect to protected health information.
164.308(a)(5)(i): Each covered entity must establish a security awareness-training program for all members of its workforce.
164.308(a)(5)(ii)(A): Each covered entity must include security reminders as part of its training program. (Note: This is an addressable implementation specification.)
164.308(a)(5)(ii)(D): Each covered entity must establish procedures for creating, changing and safeguarding passwords. (Note: This is an addressable implementation specification.)
SECURITY TESTING
Contingency Plan Testing
164.308(a)(7)(ii)(D): Each covered entity must have testing and revision procedures for its contingency plans. (Note: This is an addressable implementation specification.)
AUTHENTICATION
Requirement to Check the Identity and Authority of a Requestor
164.514(h)(1)(i): A covered entity must verify the identity of a person who requests protected health information and the authority of the person to have access to the information they request.
164.514(h)(1)(ii): A covered entity must obtain from the requestor any documents, statements or representations required before disclosing protected health information.
164.312(a)(2)(i): Each covered entity must assign unique user Ids to users who have access to electronic protected health information. (Note: This is a required implementation specification.)
Computer/Network Authentication
164.312(d): Each covered entity must implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
ACCESS CONTROL
Basic Access Control
164.312(a)(1): Each covered entity must implement technical access control policies and procedures to control access to electronic protected health information.
Transmitted Data
164.312(e): Each covered entity must implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (Note: This includes addressable implementation specifications.)
Information Security Policies and Procedures
164.308(a)(4)(ii)(B): Each covered entity must establish policies and procedures for granting access to electronic protected health information. (Note: This is an addressable implementation specification.)
Privilege Management
164.308(a)(4)(ii)(C): Each covered entity must establish policies and procedures for access establishment and modification. (Note: This is an addressable implementation specification.)
Inactive Session Timeout
164.312(a)(2)(iii): Each covered entity must implement automatic logoff of inactive user sessions. (Note: This is an addressable implementation specification.)
Data Encryption
164.312(a)(2)(iv): Each covered entity must implement a method to encrypt and decrypt electronic protected health information. (Note: This is an addressable implementation specification.)
Media Access Control
164.310(d): Each covered entity must implement policies and procedures that govern the receipt and removal of media or components that contain electronic protected health information. (Note: This includes both addressable and required implementation specifications.)
Physical Access Control
164.310(a): Each covered entity must implement policies and procedures to limit access to information processing systems that contain electronic protected health information and to the facilities in which the systems are housed. (Note: This includes addressable implementation specifications.)
164.310(b): Each covered entity must implement policies for proper workstation use.
164.310(c): Each covered entity must establish physical safeguards to control access to workstations.
AUDIT
Security Audit
164.312(b): Each covered entity must implement mechanisms to record and examine system activity on systems that contain electronic protected health information.
DATA INTEGRITY
Data Authentication
164.312(c)(1): Each covered entity must implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Transmitted Data
164.312(c)(2): Each covered entity must implement electronic mechanisms to ensure that electronic protected health information has not been altered or destroyed in an unauthorized manner. (Note: This is an addressable implementation specification.)
SECURITY/PRIVACY CONSISTENCY
Security Policies and Procedures Must Support Privacy Requirements
164.308(a)(3)(i): Each covered entity must implement policies and procedures to prevent access to electronic protected health information by workforce members that would be in violation of any privacy rule standard or implementation specification.
164.308(a)(4)(i): Each covered entity must implement policies and procedures for access to electronic protected health information that are consistent with the requirements of the privacy rule.
CONTINGENCY PLANNING
Risk Management
164.308(a)(7)(ii)(E): Each covered entity must include applications and data criticality analysis in its contingency plans. (Note: This is an addressable implementation specification.)
164.308(a)(1)(ii)(A): Each covered entity must conduct a formal risk analysis. (Note: This is a required implementation specification.)
164.308(a)(1)(ii)(B): Each covered entity must implement security measures to reduce risks to a reasonable and appropriate level. (Note: This is a required implementation specification.)
Backup
164.308(a)(7)(ii)(A): Each covered entity must include a data backup plan in its contingency plans. (Note: This is a required implementation specification.)
Disaster Recovery
164.308(a)(7)(ii)(B): Each covered entity must include a disaster recovery plan in its contingency plans. (Note: This is a required implementation specification.)
164.308(a)(7)(ii)(C): Each covered entity must include an emergency mode operation plan in its contingency plans. (Note: This is a required implementation specification)
Incident Response
164.308(a)(5)(ii)(B): Each covered entity must establish procedures for guarding against, detecting and reporting malicious software. (Note: This is an addressable implementation specification.)
164.308(a)(6)(i): Each covered entity must establish procedures to handle security incidents.)
164.308(a)(1)(ii)(D): Each covered entity must regularly review records of system activity. (Note: This is a required implementation specification.)
164.308(a)(5)(ii)(C): Each covered entity must establish procedures for monitoring log-in attempts and reporting discrepancies. (Note: This is an addressable implementation specification.)
164.308(a)(6)(ii): Each covered entity must include response and reporting in its security incident procedures. (Note: This is a required implementation specification.)
164.308(a)(7)(i): Each covered entity must establish and implement (as needed) contingency plans.
164.310(a)(2)(i): Each covered entity must establish and implement procedures for facility access in support of its disaster recovery and emergency mode operation procedures. (Note: This is an addressable implementation specification.)
164.312(a)(2)(ii): Each covered entity must establish emergency access procedures. (Note: This is a required implementation specification.)
MITIGATION
Policy or Procedure Violation
164.530(f): A covered entity must mitigate to the extent possible the harmful effects of a violation of its privacy policies and procedures.
Emergency Disclosures
164.522(a)(1)(iv): If a covered entity discloses protected health information for emergency treatment, the covered entity must request that the health care provider not further use or disclose the information.
164.512(c)(2): A covered entity that discloses protected health information to a government authority concerning a victim of abuse must promptly notify the individual (suspected victim), with certain exceptions (e.g. doing so would place the individual at risk).
MANDATORY DOCUMENTATION
General
164.530(j)(1)(ii): A covered entity is required to keep copies of all communications that are required to be in writing. (Denials of requests for access, amendment and accounting of disclosures, etc.)
164.530(j)(1)(iii): A covered entity is required to keep records of all actions, activities and designations that are required to be documented.
Policies and Procedures
164.316(b)(1)(i): Covered entities must maintain the policies and procedures adopted to comply with HIPAA security standards in written form.
Actions, Activities and Assessments
164.316(b)(1)(ii): Covered entities must maintain written records of actions, activities and assessments that are required by the HIPAA security rule to be in writing.
164.316(b)(2)(i): Covered entities must maintain records of policies and procedures and the written records of actions, activities and assessments that are required by the HIPAA security rule to be in writing for at least six years beyond the date of creation or the date last in effect. (Note: This is a required implementation specification.)
Personnel
164.524(e)(2): A covered entity must maintain documentation on the titles and offices of personnel responsible for receiving requests to access protected health information.
164.526(f): A covered entity must maintain documentation on the titles of persons or offices responsible for processing requests for amendment of protected health information.
164.528(d)(3): A covered entity must retain records of the titles of persons or offices responsible for receiving and processing requests for an accounting of disclosures.
164.530(b)(2)(ii): A covered entity must maintain records of training that has been provided.
164.530(e)(2): A covered entity must maintain records of sanctions that are applied to members of its workforce who have failed to comply with its privacy and security policies and procedures.
Access
164.524(e)(1): A covered entity must maintain documentation of the designated record sets (information used to make decisions about the individual) for which an individual (patient or health plan member) may submit a request for access.
164.316(b)(2)(ii): Covered entities must make needed documentation available to those responsible for implementing the procedures to which the documentation pertains. (Note: This is a required implementation specification.)
Disclosures
164.528(d)(1): A covered entity must retain documentation on each disclosure of protected health information that could be the subject for a request for an accounting of disclosures. The information maintained must include all items that are required to be part of a disclosure accounting.
164.528(d)(2): A covered entity is required to maintain a record of written accountings of disclosures provided to individuals (patients or health plan members).
164.508(b)(6): A covered entity must document and retain all signed authorizations.
164.522(a)(3): A covered entity that agrees to restrictions on the use or disclosure of protected health information for treatment, payment or health care operations must maintain written records of such agreements.
Notice History
164.520(e): A covered entity must maintain copies of all published notices of information practices and acknowledgements (or attempts to gain acknowledgement) of the receipt of such notices as part of the required documentation.
Complaints
164.530(d)(2): A covered entity must maintain records of all complaints received and the disposition of each complaint.
164.530(j)(1)(i): A covered entity is required to document all policies and procedures adopted to protect the privacy of protected health information.
Retention
164.530(j)(2): A covered entity must maintain all required documentation for a period of six years following its creation date or last date in effect
Business Associate Agreements
164.502(e)(2): A covered entity must document the satisfactory assurances given by a business associate in the form of a contract, agreement or other arrangement.
164.504(e)(2): A business associate’s agreement with a covered entity describing their satisfactory assurances must contain certain mandatory elements. (Permitted uses and disclosures, appropriate safeguards, etc.)
Hybrid and Affiliated Entities
164.504(c)(3)(iii): A hybrid entity is responsible for designating the health care components of the organization.
164.504(d)(2): If two covered entities are designated as affiliated (i.e. acting as a single covered entity) documentation of this designation must be maintained.
Facilities and Equipment
164.310(a)(2)(iv): Each covered entity must implement policies and procedures to document repairs and modifications to security-related physical components. (Note: This is an addressable implementation specification.)
DEMONSTRATING COMPLIANCE
Mandatory Disclosure
164.502(a)(2)(ii): A covered entity must disclose protected health information if required to do so as part of a compliance review or investigation.
Record Keeping
160.310(a): A covered entity is required to keep appropriate records and submit appropriate reports to demonstrate HIPAA compliance, as directed by the Department of Health and Human Services.
Cooperation
160.310(b): A covered entity is required to cooperate with compliance reviews and investigations.
160.310(c)(1): A covered entity must permit the Department of Health and Human Services to inspect its facilities, books and records and other information (including protected health information) that are pertinent to determining whether or not the covered entity is in compliance with HIPAA regulations.)
Policies and Procedures Review
164.308(a)(8): Each covered entity must conduct periodic evaluations to determine the extent to which its policies and procedures meet the requirements of the security rule.
BUSINESS ASSOCIATE AGREEMENTS
Formal Agreements Required for Shared Health Information
164.502(e)(1)(i): A covered entity may not disclose protected health information to a business associate unless it first obtains satisfactory assurance from the business associate that the associate will appropriately safeguard the information, with certain exceptions. (e.g. treatment, to a plan sponsor, government program providing public benefits etc).
164.308(b): Each covered entity must obtain satisfactory assurances from business associates that they will safeguard electronic protected health information. These assurances must be in the form of a binding contract.
Agreement is Binding
164.502(e)(1)(iii): A covered entity that acts as a business associate of another covered entity may not use or disclose protected health information except as provided by the business associate agreement.
164.504(e)(1)(ii): A covered entity that is aware of a breach of a business associate agreement must take reasonable steps to cure the breach. If those steps do not work the covered entity must either terminate the agreement or (if termination is unfeasible) notify the department of Health and Human Services
Mandatory Content
164.314(a)(2)(i): Business associate agreements must include certain mandatory language such as an agreement to implement administrative, physical and technical safeguards to protect the confidentiality, availability and integrity of electronic protected health information. (Note: This includes several required implementation specifications.)
DISCLOSURES FOR RESEARCH, MARKETING AND FUNDRAISING (
Institutional Review Board Waiver
164.512(i)(1): A covered entity may not use or disclose protected health information for research without individual authorization unless a privacy board or an institutional review board has approved a waiver.
164.512(i)(2): A privacy board or institutional review board may authorize a waiver of authorization to release protected health information for research purposes only if it contains certain provisions. (Identity of review board, plan to protect the identifiers from abuse or disclosure, etc.)
Mandatory Notice Content for Fundraising
164.514(f)(2)(i): If a covered entity uses protected health information for fundraising, where authorization is not required, its notice of information practices must state that the individual (patient or health plan member) may be contacted by the covered entity to raise funds.
Opt-out Feature
164.514(f)(2)(ii): If a covered entity uses protected health information for fundraising where authorization is not required the fundraising material must state how the individual may opt-out of future fundraising communications.
164.514(f)(2)(iii): A covered entity must make reasonable efforts to ensure that individuals who opt-out of receiving fundraising communications are not sent such material.
Authorization Required for Marketing
164.508(a)(3)(i): A covered entity must obtain an authorization to use protected health information for marketing activities, with certain exceptions. (Face to face communications, promotional gifts of nominal value.)
HYBRID ENTITIES
Wall Between Regulated and Unregulated Business Components
164.504(c)(2): A hybrid entity must ensure that health care components do not disclose protected health information to non-health care components of the organization.
GROUP HEALTH PLANS
Disclosures to Plan Sponsors
164.504(f)(1)(i): A group health plan must ensure that the plan documents restrict uses and disclosures of protected health information by plan sponsors before such information may be disclosed to the plan sponsor, with certain exceptions (e.g. summary information disclosed for the purpose of obtaining premium bids, etc.).
164.504(f)(2): Plan documents of group health plans must contain certain mandatory elements. (Permitted and required uses and disclosures of information by the plan sponsor, etc.)
164.504(f)(3)(iii): A group health plan may not disclose protected health information to a plan sponsor unless its notice of information practices contains a separate statement to that effect.
164.314(b): Group health plans must ensure that plan documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected health information. (Note: This applies to group health plans only.) (Note: This includes several required implementation specifications.)
HEALTH CARE CLEARINGHOUSES
Compliance Requirements
164.500(b)(1): A health care clearinghouse that is a business associate of a covered entity may use or disclose protected health information only as permitted in the business associate agreement. Additionally it must comply with certain sections of the privacy rule. (General rules concerning uses and disclosures of protected health information, organizational requirements, public purpose disclosures, etc.)
164.500(b)(2): A health care clearinghouse that creates or receives protected health information other than as a business associate of another covered entity must comply with all HIPAA standards and requirements.
164.308(a)(4)(ii)(A): Health care clearinghouses that are part of a larger organization must implement policies and procedures that protect electronic protected health information from unauthorized access by the larger organization. (Note: This is a required implementation specification. This requirement applies to health care clearinghouses only.)
PUBLIC PURPOSE DISCLOSURES
Disclosures for Law Enforcement Purposes
164.512(f): A covered entity may disclose only certain kinds of protected health information for law enforcement purposes to law enforcement officials. (Relevant to a legitimate law enforcement inquiry; concerning victims of crimes; for identification and location purposes; etc.)
Disclosures About Victims of Abuse
164.512(c)(1): A covered entity may disclose protected health information concerning suspected victims of abuse, neglect or domestic violence to appropriate government authority only if the individual agrees to the disclosure, the disclosure is required by law or the disclosure is authorized by state statute and is necessary to prevent harm.
Judicial and Administrative Proceedings
164.512(e)(1): A covered entity may disclose protected health information in the course of a judicial or administrative proceeding only in certain circumstances. (In response to a court order; the individual has authorized it; in response to a subpoena or discovery request accompanied by certain assurances.)
164.512(e)(1)(i): A covered entity that discloses protected health information in response to a court order may disclose only that information expressly authorized by the order.
164.512(e)(1)(ii): A covered entity may disclose protected health information in response to a subpoena or discovery request (unaccompanied by a court order) only when accompanied by certain satisfactory assurances that contain certain mandatory elements.
Disclosures About Decedents
164.512(g): A covered entity may disclose protected health care information to coroners, medical examiners and funeral directors only as necessary to carry out their duties. (Cause of death, identity, etc.)
Averting a Serious Threat to Health or Safety
164.512(j): A covered entity may disclose information to avert a serious threat to health or safety only if the disclosure is necessary and is made to a person able to prevent or reduce the threat.
DE-IDENTIFIED DATA DISCLOSURES
De-Identified Data
164.514(b): A covered entity may disclose de-identified information only if the de-identification procedure meets certain basic requirements. (Specific identifiers removed, re-identification codes protected, etc.)
Limited Data Sets
164.514(e)(2): A covered entity may disclose information contained in a limited data set only if certain data identifiers are removed. (Name, address, telephone number, etc.)
164.514(e)(3): A covered entity may disclose information contained in a limited data set only for specific purposes. (Research, public health, health care operations.)
164.514(e)(4): A covered entity may disclose information contained in a limited data set only if it at first obtains a data use agreement with certain mandatory provisions. (Permitted uses and disclosures, appropriate safeguards, etc.)
ORGANIZED HEALTH CARE ARRANGEMENTS
Joint Notice
164.520(d)(1): Covered entities that participate in an organized health care arrangement (OCHA) must publish a joint notice of privacy practices.
164.520(d)(2): The notice provided by an organized health care arrangement (OCHA) must include a description of the entities or classes of entities to which the notice applies. It must also contain a description of the service delivery sites and state that the covered entities in the OCHA will share protected health information with each other.
