What is 45 CFR § 164.530?
In the Code of Federal Regulations, 45 CFR § 164.530 relates to the administrative requirements of the HIPAA Privacy Rule – eleven standards that apply to organizations operating in the healthcare and health insurance sectors who are subject to the rules of the Healthcare Insurance Portability and Accountability Act.
The administrative requirements of the HIPAA Privacy Rule have been through several changes since they were first added to the Code of Federal Regulations (CFR) in 2000. The publication of the Final HIPAA Privacy Rule in 2002, an amendment requiring non-intimidatory and non-retaliatory polices in 2006, and the requirement to provide HIPAA training on the Breach Notification Rule in 2009 are just a few examples of how 45 CFR § 164.530 has changed over the years.
What is particularly significant about 45 CFR § 164.530 is that it contains a standard relating to administrative, physical, and technical safeguards. It is important for covered entities and business associates (where applicable) to be aware that these safeguards are different from those that appear in the HIPAA Security Rule as they apply to Protected Health Information (PHI) in all formats.
What is also significant is that the first six standards do not apply to Group Health Plans, who would normally be considered covered entities. The reasons for the exclusions appear in the final standard below (#11). All other covered entities must comply with the first ten standards to be in compliance with HIPAA in general and the HIPAA Privacy Rule in particular.
With regards to the applicability of 45 CFR § 164.530 to business associates, the HIPAA Privacy Rule applies to business associates “where provided” (see 45 CFR § 160.102). This means that if a business associate provides a service for or on behalf of a covered entity which consists of more than “no view” access, the business associate must comply with all applicable HIPAA Privacy Rule standards.
One further observation is that, unlike the HIPAA Security Rule which has “required” and “addressable” implementation specifications, all of the implementation specifications in the administrative requirements are mandatory. Consequently, there are no options to substitute a specification with an alternative measure or find the specification “unreasonable or inappropriate”.
#1 – Designate a HIPAA Privacy Officer
With the exception of Group Health Plans, all covered entities and qualifying business associates must designate a HIPAA Privacy Officer. The HIPAA Privacy Officer is responsible for developing and implementing HIPAA policies and procedures, and is also (usually) the point of contact for patients if they have a complaint about accessing or amending their healthcare records.
#2 – Provide Training on HIPAA Policies and Procedures
HIPAA training must be provided to all members of the workforce so they can perform their functions in compliance with HIPAA. This requirement extends to members of the workforce who might not have “authorized access” to PHI, but who might disclose patient information impermissibly (i.e., via social media) due to a lack of knowledge or understanding of HIPAA policies.
#3 – Implement Appropriate Administrative, Physical, and Technical Safeguards
This very brief standard demands a lot, as it requires covered entities and qualifying business associates to “reasonably safeguard PHI from any intentional or unintentional use” that violates HIPAA. The standard also requires that safeguards are put in place to limit incidental disclosures (i.e., more than the Minimum Necessary) – although no guidance is provided on how to do this.
#4 – Processes for Patient Complaints to the Covered Entity
Covered entities must have a process that allows patients to complain about privacy violations or other compliance issues (i.e., delays in responding to requests for access to PHI). An explanation of the process must be included in the Notice of Privacy Practices – which must also explain that patients have the right to escalate complaints to HHS’ Office for Civil Rights.
#5 – Sanctions for Workforce Non-Compliance
The requirement to “have and apply appropriate sanctions” applies to all Privacy Rule and Breach Notification Rule violations in addition to violations of the covered entity’s HIPAA policies and procedures. For this reason, it is recommended that Privacy Rule training is provided at least annually. Sanctions imposed on a member of the workforce due to any violation must be documented.
#6 – Mitigate the Effect of Unauthorized Disclosures of PHI
This standard effectively makes covered entities liable for providing services such as free credit monitoring services and identify theft protection in the event of a data breach. Naturally the nature of services provided should reflect the nature of the data breach and may be subject to state laws in addition to HIPAA. The FTC website has further information about responding to a data breach.
#7 – Non-Intimidatory and Non-Retaliatory Policies
The text of this standard reads as if covered entities are not allowed to intimidate or retaliate against patients or their families who make a complaint against a covered entity (i.e., by denying medical treatment). However, this standard also applies to to whistleblowers who report HIPAA violations internally to the Privacy Officer or directly to HHS’ Office for Civil Rights.
#8 – Waiver of Rights
This is similar to the above standard in that it prohibits conditional care – the conditional care in this scenario being that covered entities are not permitted to require individuals (patients and staff) to waive their rights under HIPAA as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
#9 – Changes to Privacy Practices
As demonstrated during the introduction to this article, HIPAA is constantly evolving. Changes in a state or federal law, in a covered entity’s operations, or in technology may make a material change to the covered entity’s policies and procedures which may have to be included in Notices of Privacy Practices. “Material changes” may also trigger a requirement for refresher HIPAA training.
#10 – Documentation and Retention Periods
In all cases, HIPAA policies and procedures have to be documented and retained for inspection by HHS’ Office for Civil Rights in the event of a complaint or audit. According to 45 CFR § 164.530, the retention period is six years from the creation of the document or date when it was last in effect, whichever is later. However, some states require policy documents to be retained for longer.
#11 – Exclusions for Group Health Plans
The exclusions for Group Health Plans apply to #1 to #6 of 45 CFR § 164.530 because Group Health Plans provide health benefits through an insurance contract with a health insurance issuer or HMO and does not create or receive PHI except for summary health information. Nonetheless, it is still a best practice to designate a Privacy Officer and provide HIPAA training.
HIPAA 45 CFR § 164.530: FAQ
What is the HIPAA Privacy Rule?
Enacted in 2002, the Privacy Rule essentially defines what is considered protected health information (PHI) under HIPAA, when such PHI can be used and when it is appropriate to disclose PHI. The HIPAA Privacy Rule is also known as the “Standards for Privacy of Individually Identifiable Health Information”.
What are the roles of a HIPAA Privacy Officer?
The HIPAA Privacy Officer has a number of important roles. The Privacy Officer is responsible for ensuring that workplace procedures are HIPAA compliant and safeguard patient privacy, which may involve liaising across a number of departments. They are the individuals in the organization who are responsible for ensuring that all employees are aware of HIPAA policies and protocols by providing regular training sessions. The Privacy Officer also acts as a point of contact if patients or employees have HIPAA-related concerns.
How often should HIPAA training be conducted?
Though HIPAA stipulates that employees must receive training, it does not provide many details on how often training should take place. Employees must be trained near the beginning of their employment term, after which they should receive “regular” training. HIPAA does not attach any definitions to “regular” training, but industry best-practice is to have annual training sessions interspersed with additional sessions as required.
What is incidental exposure of PHI?
Incidental PHI exposures are those that, despite the best efforts of the employee, cannot be prevented. They are limited in nature and are usually the consequence of a primary, HIPAA-compliant exposure. For example, if a nurse takes another nurse into a private room to discuss a patient’s care, and another employee enters the room and overhears part of the discussion, this could be considered an incidental exposure. The nurses were following workplace protocol to prevent others from overhearing the PHI, but despite their best efforts, PHI was exposed anyway.