Policy and Procedure Documentation

System and Administrative Requirements: How To Create Required Documentation

Outline Developed by Barney  McDowell LCSW for 2-28-03 Pragmatics of HIPAA Training

(When you read this, think of YOURSELF every time the term Covered Entity (CE) is used.)

 I.      If you are a “covered entity”, you must keep written or electronic documentation of your compliance with HIPAA.

II.   By making electronic transactions (or stipulating that you are a “covered entity” to, e.g., an insurer) then you are designated as a “covered entity”! But once a “covered entity”, the rule applies to all forms of your communication of PHI including written and oral--not just electronic. See p. 82561-64 for administrative citations.  Therefore, your policy and procedure documentation needs to address all of those forms. 

III.  Below (B. 1-9) overarching principles of HIPAA’s requirements for Policy and Procedures are first listed; then very specific requirements are listed in a format you may consider using as a template to create your own Policy and Procedure Documentation.  This might be referred to as a manual but there are also requirements for ongoing logging of training, complaints, sanctions, etc.  Please note that this “template” is not comprehensive and HHS does not specify the degree of detail required beyond a one and half page description in Sec. 164.530.

A.  Over arching principles:

1.      Administrative requirements are applicable to all policies, procedures and documentation required throughout the regulation.

2.      Your practices must be reasonably designed to comply with the standards, implementation specifications, and other requirements of the relevant part of the regulation.

3.      Must be written in plain language and support the Privacy rules.

4.      “Reasonably design” and “scalable scope” may not be interpreted to permit or excuse any action that violates the privacy regulation.

5.      Policy and Procedures identified must be maintained in writing--compliance is documented.

6.      Any other communication, action, activity, or designation that must be documented under this regulation must be documented in writing. (Writing can be in electronic or paper form).

7.      Must retain documentation for at least 6 years (civil penalties statute of limitations period) from the date of the creation or date document was last in effect, which ever is later.

8.      Policies must establish conditions for making changes if you have not reserved the right to change your practices in your Privacy practice notice:  They must include that changes to policy, procedure or documentation will not be implemented until added to the documentation and appropriate individuals are notified.


Policy and Procedure Documentation

Disclaimer:  The following is one possible outline that may suffice to meet the Rule’s requirement for documentation.  HHS simply does not specify what detail they will require.  We are left to speculate that for an individual private practitioner it may be sufficient to document that you are the person, e.g, who will be responsible for receiving and acting on patient requests (as per their rights under HIPAA) and that you will accommodate those requests according to the appropriate subparts.  For larger companies and agencies, a great deal more detail will no doubt be required.  For an alternative example, see www.medicalprivacy.unc.edu/resources_potm.htm. 


I.  Designating Required Personnel 164.530(a):

Privacy officials must be established.  They are point person(s) for policy implementation, development and complaints process. Both a Privacy Officer and Privacy Contact need to be designated and documented as such (they may be same or a different person).

     A.  (______________________) is the Privacy Officer and has the following job duties:


1.     Maintains awareness of relevant laws and regulation of HIPAA, including changes that may affect privacy practices.

2.     Develops, revises, implements and administers privacy policy and procedures; makes necessary      updates as changes take place.

3.     Assures implementation of privacy activities and HIPAA compliance.

4.     Educates and trains workforce on privacy issues and practices.


B.    (_______________________) is the Privacy Contact and has the following duties:

   1.  Receives and handles complaints from patients regarding privacy issues.

2.  Provides further information and assistance regarding privacy practices

3.  Reports and documents privacy activities.


II.  Training the Workforce: 164.530(b) of employees in privacy and security--All members of workforce are required to receive training on the policies and procedures and forms with respect to PHI as necessary and appropriate for their role. As stated above the Privacy Officer is charged with overseeing the following:

  A.  CE implements policy and procedures for training.

  1. CE provides training on privacy activities, policy, procedure, and forms.
  2. CE documents that training has been provided

The degree of detail isn’t prescribed; we can only guess what they’ll accept: who was trained, when, what topic, annual educational updates, etc..  Where will you keep this record of training? Will you have a log designated for that purpose?).

  1. Initial training must be done by compliance date.
  2. Training for new members of workforce must be within a reasonable time (not defined). 
  3. Retraining of workforce whose duties are related to material changes in policy/procedures.

III.  Safeguards [ 164.530(c)] must limit intentional, unintentional, and incidental disclosure of PHI to persons other than the intended recipient. No specific measures are required. We intend this to be a common sense, scalable, standard”.  

     A. Adopt policy and procedures that include administrative, technical, and physical safeguards (storage,         access, use, disclosure process, training). 

Suggestions:  Name the person who has access to keys (landlord? maintenance? co-workers? Anyone named in your professional will?  You may name a specific individual or the job category.  Where are records kept? Will they be kept locked throughout the day? Or only at night?  Emergency access? Where are computers kept (if they have PHI)? Are the records encrypted? Who has the passwords?  Do you have a firewall?  A plan to update it?

  1. Must protect against any intentional or unintentional use or disclosures in violation of the rule or implementation specifications
    1. Must limit any “incidental uses or disclosures”
  2. Limitations on access to PHI must work with the “minimum necessary” standard and policy should reflect this coordination; must Provide training necessary to assure competent security.


Suggestions:  Minimum necessary applies to those giving and/or requesting information; specify which types of PHI will be available to which persons or classes of employees; specify criteria for non-routine disclosures and a review process to ascertain whether those criteria are being adhered to.

  1. Ensure measures are in place to prevent employees, patients, and others are not subject to intimidation, threats, coercion, discrimination or retaliation for complying with HIPAA or filing a complaint. (see separate section on Sanctions below)
  2. Ensure patients, clients, workforce aren’t required to waive their right to file a complaint (separate section immediately below).


IV.  Complaints Process [ 164.530(d)] requires CE to have a mechanism for receiving internal complaints from individuals concerning violations of the CE’s privacy practices and the requirements of the privacy standards.

    A.  Develop and implement formal process for persons to make complaints.

B.    Develop process for plan of correction to process improvement when complaint is received or when a

      mistake is identified.

    C.  Must have an identified contact person for complaint process.

    D.  Prohibit retaliation against persons for filing a complaint or exercising any right of the rule.

     E.  Must maintain a record of complaints and brief explanation of nature and resolution if any.

     F.  Must be prepared to respond to complaints that may be filed with the Secretary of HHS.


V. Sanctions against members of workforce who fail to comply with privacy policies or procedures of the CE or requirements of the rule.  Does not apply to whistleblowers and business associates.  They are addressed separately in 164.504.

    A.  CE must develop and impose sanctions appropriate to the nature of the violation based on nature,  severity, intentional/unintentional and if pattern of improper use or disclosure.

Again, HHS doesn’t detail types of sanctions it considers appropriate nor how that may work for a sole proprietor.  Suggestions:  Consultation is recommended as liability measure in many professional predicaments.  Peer review boards have often recommended errant professionals to take a relevant continuing education course. 

    B.  Must have written policy and procedures for the application of appropriate sanctions

    C.  Must document sanctions and violations.


VI.  Refraining from Intimidating or Retaliatory Acts [ 164.530(g)]:  A CE may “not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against”

    A.  an individual for filing a complaint or participating in a process prescribed by the Rule or

    B.  “individuals and others” for

1.     filing a complaint with the Secretary,

2.     testifying, assisting or participating in an investigation, compliance review, proceeding, or hearing under Part C of Title XI, or

3.     opposing any act or practice made unlawful by Rule, provided the individual…made the complaint in “good faith belief” that an “unlawful” act happened and that the “opposition” was made in a reasonable manner without disclosing PHI in violation of the Rule


VI.  Duty to Mitigate Breaches of confidentiality-must alleviate any harmful effect of a use of disclosure of PHI that is known to the CE.  Applies to CE’s policy and procedures and violations of the requirements of the rule.  CE responsible to act on harm caused by workforce or by business associates. What are your policies about how you plan do this?  Suggestion: Establish policy that you’ll interview relevant persons and review documents; consult with peers and/or attorney about appropriate actions; communicate in written form to all parties asking for documentation that specific breach have been addressed as well as causes of breach.


VII.  Patient “Rights” – specific rights have practice or procedural elements that need policy and procedure development and documentation.

A. Written notice of privacy practices and posting  

B.  Document what you consider your designated record set to which all of the following rights refer.


C. Requests for restrictions on disclosure

Document how you will handle these.  For example:  (________________________), the Privacy Officer, will inform clients that they must submit a written request for restrictions on disclosure i.e “do not discuss my case in your peer consultation (because one of your peers is my neighbor).  The Privacy Officer will review the appropriate subparts of the Privacy Rule and give the client a written response according to the Rule’s requirement.

Note that CEs have the right to refuse to agree to a client’s request re: “uses and disclosures”.  But if a CE agrees, then the CE must adhere to the agreement.  A CE can later change its mind but the changes only apply to information received after notification of the change to the client.


D.  Requests for confidential communication

CEs must accommodate “reasonable requests” for clients to receive communications from the CE (e.g. at cell phone only; in writing, etc.) by “alternative means” or “locations”.  A health plan only has to do this if the client provides a statement that the PHI will endanger the individual if not sent to the alternative requested.


E.  Requests for access and copying PHI

Sec. 164.524  Individuals have “right to inspect and obtain a copy” of PHI as long as it is maintained as part of a designated record set except for 1) “psychotherapy notes”, 2) information compiled in reasonable anticipation of , or for use in, a civil, criminal, or administrative action or proceeding”, 3) two technical exceptions related to the Clinical Laboratory Improvements Amendments.  Document these exceptions.

There are “unreviewable” grounds for denying a patient’s right to access and “reviewable”; You may need to read Sec 164.524 in the event of an unusual request.  For most common requests, you generally have 30 days to “act on a request” or 60 days if the information is not on site.  You may provide a summary if the person requesting the info agrees.  You may “impose a reasonable, cost-based fee for” copying, labor, & postage. If a request is denied, there are procedures to be followed—see the actual law for details.  Document your policy about how long you will retain records.


F.  Requests for amending and correcting PHI

Clients have the “right” with many exceptions to get CEs to amend a record.  Such requests may be denied 1) if the CE determines that the PHI is “accurate and complete”, 2) when the CE didn’t create the PHI (unless the originator isn’t available to make the amendments), 3 the info isn’t part of the designated record set, or 4) which the CE could deny access as above.  CEs may require requests for amendment in writing and must act on a request within 60 days.  If it grants the amendment if must identify which records are affected and amend, append, and/or provide a link to the location of the amendment.  If the CE denies the amendment, it must provide the individual with a written denial stating the basis of the denial, the patient’s right to submit a written statement disagreeing, the patient’s right to request that the CE provide a copy of the request for amendment and the denial response with any future disclosures of the PHI, and how the CE may file a complain through the CE’s complaint process or to the Secretary of HHS.  If a CE is informed of another CE’s amendment to a client’s record, that first CE must amend also.  CEs must document the titles of the persons or offices responsible for receiving and processing requests for amendments.


G.  Requests for an accounting of PHI disclosures

Individuals have the right to receive an accounting of disclosures of PHI made by a CE in the 6 years prior to the request except: 1) “to carry out” TPO, 2) disclosures already made to the indivdual requesting it, 3) facility directory, 4) national security or intelligence(?) , 5) correctional/law enforcement, 6) part of a limited data set, 7) info gathered prior to compliance date, 8) pursuant to an authorization, and 9) any info released incident to a use or disclosure “otherwise permitted in this subpart”.  There are requirements for the extent of the disclosures CEs are required to make: for each disclosure over the prior 6 years, the date of each disclosure, names, description of what was disclosed, if it was a regular release then the frequency, date of the first and last, etc..  You have 60 days to give the accounting and you must document and retain your accounting of the disclosures.  Research has special very detailed requirements.  If you can’t do it in 60 days, it is possible to get a 30 day extension if you meet certain exceptions.  The first “accounting of disclosures” must be made free of charge.

 H.  Remember that HIPAA is a federal floor and that Substance Abuse Treatment Acts still apply and need to be considered in light of HIPAA standards.]

VIII.  Notice of privacy practices-This written document for patients requires specific elements (sample form provided).  The Privacy Notice must be given to the client, posted on the web, etc. as discussed in detail in another section, but it also has to be accounted for in the Policy and Procedure Documentation.  Any changes must be documented prior to the effective date of change, though changes to the Privacy Notice may retroactively apply as long as the Notice claimed the right to revise at a later date. 

 IX.  Business associate relationship requirements.  Business associate contracts ensure compliance by your business partners with HIPAA.  Obviously, a contract is a document but you must document necessary policy and procedures about how you will go about developing and maintaining Business Associate relationships. 

A.  Business Associate contracts are written contracts with specific terms:  associate can not re-disclosure, must maintain confidentiality, return information at end of contract, etc.. (see separate section in this handout).

B.  What system do you have to monitor these relationship and communications between them? Who? What?

 X.  Oral communications that need documenting relate to what is needed to meet the “standard” for providing disclosure history. Not all need to be documented and patient access only applies to the designated record set. Must have policy to guide procedures.  Do you have a policy about using client names in your waiting rooms? If you have an office coordinator or secretary, do you have policies about how they will use or disclose oral communications about the client?