In the Code of Federal Regulations, 45 CFR § 164.530 relates to the administrative requirements of the HIPAA Privacy Rule – eleven standards that apply to organizations operating in the healthcare sector who are subject to the rules of the Healthcare Insurance Portability and Accountability Act.
The administrative requirements of the HIPAA Privacy Rule have been through several changes since they were first added to the Code of Federal Regulations in 2000. The publication of the Final HIPAA Rule in 2002, an amendment requiring non-intimidatory and non-retaliatory polices in 2006, and the reinforcement of staff training in 2009 demonstrate how HIPAA is constantly evolving.
What is particularly significant about 45 CFR § 164.530 is that it contains a standard relating to administrative, physical, and technical safeguards. It is important for HIPAA Covered Entities and Business Associates to be aware that these safeguards are different from those that appear in the HIPAA Security Rule as they apply to Protected Health Information (PHI) in all formats.
What is also significant is that the first six standards do not apply to Group Health Plans, who would normally be considered HIPAA Covered Entities. The reasons for the exclusions appear in the final standard below (#11). All other Covered Entities and Business Associates must comply with the first ten standards to be in compliance with HIPAA laws in general and the HIPAA Privacy Rule in particular.
One further observation is that, unlike the HIPAA Security Rule which has “required” and “addressable” implementation specifications, all of the implementation specifications in the administrative requirements are mandatory. Consequently, there are no options to substitute a specification with an alternative measure or find the specification “unreasonable or inappropriate”.
#1 – Designate a HIPAA Privacy Officer
With the exception of Group Health Plans, all other Covered Entities and Business Associates must designate a HIPAA Privacy Officer. The HIPAA Privacy Officer is responsible for developing and implementing HIPAA policies and procedures, and is also (usually) the point of contact for patients if they have a complaint about accessing or amending their healthcare records.
#2 – Train Staff on HIPAA Policies and Procedures
Although prior to 2009, the requirement to train staff on HIPAA policies and procedures existed, the text of the administrative requirements changed to ensure training was appropriate “for members of the workforce to carry out their functions”, and that refresher training was provided each time there was a material change to policies and procedures that affected their functions.
#3 – Implement Appropriate Administrative, Physical, and Technical Safeguards
This very brief standard demands a lot, as it requires Covered Entities and Business Associates to “reasonably safeguard PHI from any intentional or unintentional use” that violates HIPAA. The standard also requires that safeguards are put in place to limit incidental disclosures (i.e., more than the Minimum Necessary Standard) – although no guidance is provided on how to do this.
#4 – Processes for Patient Complaints to the Covered Entity
With regards to this standard, it is important to note it only relates to complaints about the Covered Entity´s policies and procedures (including Breach Notification policies and procedures). It does not relate to the failure to provide a Notice of Privacy Practices or comply with the content of the Notice. The processes for patient complaints in these circumstances are covered in 45 CFR 164.520.
#5 – Sanctions for Employee Non-Compliance
The requirement to “have and apply appropriate sanctions” is subject to a member of the workforce failing to comply with a Covered Entity´s HIPAA policies and procedures and should not be confused with any other sanctionable action by an employee. Any sanctions that are applied to a member of the workforce due to a breach in HIPAA policies and procedures have to be documented.
#6 – Mitigate the Effect of Unauthorized Disclosures of PHI
This standard effectively makes Covered Entities liable for providing services such as free credit monitoring services and identify theft protection in the event of a data breach. Naturally the nature of services provided should reflect the nature of the data breach and may be subject to state laws in addition to HIPAA. The FTC website has further information about responding to a data breach.
#7 – Non-Intimidatory and Non-Retaliatory Policies
The text of this standard reads as if Covered Entities are not allowed to intimidate or retaliate against patients or their families who make a complaint against a Covered Entity (i.e., by denying medical treatment), but the standard relating to sanctions for employee non-compliance also links to this standard – implying Covered Entities may not retaliate against staff who report HIPAA violations.
#8 – Waiver of Rights
This is similar to the above standard in that it prohibits conditional care – the conditional care in this scenario being that Covered Entities are not permitted to require individuals (patients and staff) to waive their rights under HIPAA as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
#9 – Changes to Privacy Practices
As demonstrated during the introduction to this article, HIPAA is constantly evolving. Changes in a state or federal law, in a Covered Entity’s operations, or in technology may make a material change to the Covered Entity’s policies and procedures which may have to be included in Notices of privacy Practices. This standard explains where and how the changes need to be documented.
#10 – Documentation and Retention Periods
In all cases, HIPAA policies and procedures have to be documented and retained for inspection by the Office for Civil Right in the event of a complaint or audit. According to 45 CFR § 164.530, the retention period is six years from the creation of the document or date when it was last in effect, whichever is later. However, some states require policy documents to be retained for longer.
#11 – Exclusions for Group Health Plans
The exclusions for Group Health Plans apply to #1 to #6 of the administrative requirements because Group Health Plans provide health benefits through an insurance contract with a health insurance issuer or HMO and does not create or receive PHI except for summary health information. Nonetheless, it is still a best practice to designate a Privacy Officer and provide HIPAA training.
HIPAA 45CFR § 164.530: FAQ
What is the HIPAA Privacy Rule?
Enacted in 2002, the Privacy Rule essentially defines what is considered protected health information (PHI) under HIPAA, when such PHI can be used and when it is appropriate to disclose PHI. The HIPAA Privacy Rule is also known as the “Standards for Privacy of Individually Identifiable Health Information”.
What are the roles of a HIPAA Privacy Officer?
The HIPAA Privacy Officer has a number of important roles. The Privacy Officer is responsible for ensuring that workplace procedures are HIPAA compliant and safeguard patient privacy, which may involve liaising across a number of departments. They are the individuals in the organization who are responsible for ensuring that all employees are aware of HIPAA policies and protocols by providing regular training sessions. The Privacy Officer also acts as a point of contact if patients or employees have HIPAA-related concerns.
How often should HIPAA training be conducted?
Though HIPAA stipulates that employees must receive training, it does not provide many details on how often training should take place. Employees must be trained near the beginning of their employment term, after which they should receive “regular” training. HIPAA does not attach any definitions to “regular” training, but industry best-practice is to have annual training sessions interspersed with additional sessions as required.
What is incidental exposure of PHI?
Incidental PHI exposures are those that, despite the best efforts of the employee, cannot be prevented. They are limited in nature and are usually the consequence of a primary, HIPAA-compliant exposure. For example, if a nurse takes another nurse into a private room to discuss a patient’s care, and another employee enters the room and overhears part of the discussion, this could be considered an incidental exposure. The nurses were following workplace protocol to prevent others from overhearing the PHI, but despite their best efforts, PHI was exposed anyway.