NRPM: Standards for Privacy of Individually Identifiable Health Information. § 164.520 Documentation of policies and procedures.


(a) Standard. A covered entity must adequately document its compliance with the applicable requirements of this subpart.

(b) Implementation specification: general. A covered entity must document its policies and procedures for complying with the applicable requirements of this subpart. Such documentation must include, but is not limited to, documentation that meets the requirements of paragraphs (c) through (g) of this section.

(c) Implementation specification: uses and disclosures. With respect to uses by the covered entity or its business partners of protected health information, a covered entity must document its policies and procedures regarding:

(1) Uses and disclosures of such information, including:

(i) Uses and disclosures with authorization, including for revocation of authorizations; and

(ii) Uses and disclosures without authorization, including:

(A) For treatment, payment, and health care operations;

(B) For disclosures to business partners, including monitoring and mitigation; and

(C) For uses and disclosures pursuant to § 164.510.

(2) For implementation of the minimum necessary requirement of § 164.506(b).

(3) For implementation of the right to request a restriction under § 164.506(c), including:

(A) Who, if anyone, in the covered entity is authorized to agree to such a request; and

(B) How restrictions agreed to are implemented.

(4) For creation of de-identified information in accordance with § 164.506(d).

(d) Implementation specification: individual rights. A covered entity must document its policies and procedures under §§ 164.512, 164.514, 164.515, and 164.516, as applicable, including:

(1) How notices will be disseminated in accordance with § 164.512;

(2) Designated record sets to which access will be granted under § 164.514;

(3) Grounds for denying requests for access under § 164.514;

(4) Copying fees, if any;

(5) Procedures for providing accounting pursuant to § 164.515;

(6) Procedures for accepting or denying requests for amendment or correction under § 164.516;

(7) How other entities will be notified of amendments or corrections accepted under § 164.516; and

(8) Identification of persons responsible for making decisions or otherwise taking action, including serving as a contact person, under §§ 164.512, 164.514, 164.515, and 164.516.

(e) Implementation specification: administrative requirements. A covered entity must provide documentation of its procedures for complying with § 164.518, including:

(1) Identification of the persons or offices required by § 164.518(a) and their duties;

(2) Training provided as required by § 164.518(b);

(3) How access to protected health information is regulated by the covered entity and its business partners, including safeguards required by § 164.518(c);

(4) For a covered entity that is a health plan or health care provider, for receiving complaints under § 164.518(d);

(5) Sanctions, and the application thereof, required by § 164.518(e); and

(6) Procedures for mitigation under § 164.518(f).

(f) Implementation specification: specific documentation required. A covered entity must retain documentation of the following for six years from when the documentation is created, unless a longer period applies under this subpart:

(1) Restrictions agreed to pursuant to § 164.506(c);

(2) Contracts pursuant to § 164.506(e);

(3) Authorization forms used pursuant to § 164.508;

(4) Samples of all notices issued pursuant to § 164.512;

(5) Written statements required by § 164.514;

(6) The accounting required by § 164.515;

(7) Documents relating to denials of requests for amendment and correction pursuant to § 164.516;

(8) Certifications under § 164.518(b); and

(9) Complaints received and any responses thereto pursuant to § 164.518(d).

(g) Implementation specification: change in policy or procedure.

(1) Except as provided in paragraph (g)(2) of this section, a covered entity may not implement a change to a policy or procedure required or permitted under this subpart until it has made the appropriate changes to the documentation required by this section and the notice required by § 164.512.

(2) Where the covered entity determines that a compelling reason exists to make a use or disclosure or take another action permitted under this subpart that its notice and policies and procedures do not permit, it may make the use or disclosure or take the other action if:

(1) It documents the reasons supporting the use, disclosure, or other action; and

(2) Within 30 days of the use, disclosure, or other action, changes its notice, policies and procedures to permit such use, disclosure, or other action.