In the Code of Federal Regulations, 45 CFR § 164.530 relates to the administrative requirements of the HIPAA Privacy Rule – eleven standards that apply to organizations operating in the healthcare sector who are subject to the rules of the Healthcare Insurance Portability and Accountability Act.
The administrative requirements of the HIPAA Privacy Rule have been through several changes since they were first added to the Code of Federal Regulations in 2000. The publication of the Final HIPAA Rule in 2002, an amendment requiring non-intimidatory and non-retaliatory polices in 2006, and the reinforcement of staff training in 2009 demonstrate how HIPAA is constantly evolving.
What is particularly significant about 45 CFR § 164.530 is that it contains a standard relating to administrative, physical, and technical safeguards. It is important for HIPAA Covered Entities and Business Associates to be aware that these safeguards are different from those that appear in the HIPAA Security Rule as they apply to Protected Health Information (PHI) in all formats.
What is also significant is that the first six standards do not apply to Group Health Plans, who would normally be considered HIPAA Covered Entities. The reasons for the exclusions appear in the final standard below (#11). All other Covered Entities and Business Associates must comply with the first ten standards to be in compliance with HIPAA and the HIPAA Privacy Rule.
One further observation is that, unlike the HIPAA Security Rule which has “required” and “addressable” implementation specifications, all of the implementation specifications in the administrative requirements are mandatory. Consequently, there are no options to substitute a specification with an alternative measure or find the specification “unreasonable or inappropriate”.
#1 – Designate a HIPAA Privacy Officer
With the exception of Group Health Plans, all other Covered Entities and Business Associates must designate a HIPAA Privacy Officer. The HIPAA Privacy Officer is responsible for developing and implementing HIPAA policies and procedures, and is also (usually) the point of contact for patients if they have a complaint about accessing or amending their healthcare records.
#2 – Train Staff on HIPAA Policies and Procedures
Although prior to 2009, the requirement to train staff on HIPAA policies and procedures existed, the text of the administrative requirements changed to ensure training was appropriate “for members of the workforce to carry out their functions”, and that refresher training was provided each time there was a material change to policies and procedures that affected their functions.
#3 – Implement Appropriate Administrative, Physical, and Technical Safeguards
This very brief standard demands a lot, as it requires Covered Entities and Business Associates to “reasonably safeguard PHI from any intentional or unintentional use” that violates HIPAA. The standard also requires that safeguards are put in place to limit incidental disclosures (i.e., more than the Minimum Necessary Standard) – although no guidance is provided on how to do this.
#4 – Processes for Patient Complaints to the Covered Entity
With regards to this standard, it is important to note it only relates to complaints about the Covered Entity´s policies and procedures (including Breach Notification policies and procedures). It does not relate to the failure to provide a Notice of Privacy Practices or comply with the content of the Notice. The processes for patient complaints in these circumstances are covered in 45 CFR 164.520.
#5 – Sanctions for Employee Non-Compliance
The requirement to “have and apply appropriate sanctions” is subject to a member of the workforce failing to comply with a Covered Entity´s HIPAA policies and procedures and should not be confused with any other sanctionable action by an employee. Any sanctions that are applied to a member of the workforce due to a breach in HIPAA policies and procedures have to be documented.
#6 – Mitigate the Effect of Unauthorized Disclosures of PHI
This standard effectively makes Covered Entities liable for providing services such as free credit monitoring services and identify theft protection in the event of a data breach. Naturally the nature of services provided should reflect the nature of the data breach and may be subject to state laws in addition to HIPAA. The FTC website has further information about responding to a data breach.
#7 – Non-Intimidatory and Non-Retaliatory Policies
The text of this standard reads as if Covered Entities are not allowed to intimidate or retaliate against patients or their families who make a complaint against a Covered Entity (i.e., by denying medical treatment), by the standard relating to sanctions for employee non-compliance also links to this standard – implying Covered Entities may not retaliate against staff who report HIPAA violations.
#8 – Waiver of Rights
This is similar to the above standard in that it prohibits conditional care – the conditional care in this scenario being that Covered Entities are not permitted to require individuals (patients and staff) to waive their rights under HIPAA as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
#9 – Changes to Privacy Practices
As demonstrated during the introduction to this article, HIPAA is constantly evolving. Changes in a state or federal law, in a Covered Entity’s operations, or in technology may make a material change to the Covered Entity’s policies and procedures which may have to be included in Notices of privacy Practices. This standard explains where and how the changes need to be documented.
#10 – Documentation and Retention Periods
In all cases, HIPAA policies and procedures have to be documented and retained for inspection by the Office for Civil Right in the event of a complaint or audit. According to 45 CFR § 164.530, the retention period is six years from the creation of the document or date when it was last in effect, whichever is later. However, some states require policy documents to be retained for longer.
#11 – Exclusions for Group Health Plans
The exclusions for Group Health Plans apply to #1 to #6 of the administrative requirements because Group Health Plans provide health benefits through an insurance contract with a health insurance issuer or HMO and does not create or receive PHI except for summary health information. Nonetheless, it is still a best practice to designate a Privacy Officer and provide HIPAA training.