NRPM: Standards for Privacy of Individually Identifiable Health Information. 16. Development and documentation of policies and procedures. (§ 164.520)


In proposed § 164.520, we would require covered entities to develop and document their policies and procedures for implementing the requirements of this proposed rule. This requirement is intended as a tool to facilitate covered entities’ efforts to develop appropriate policies to implement this proposed rule, to ensure that the members of its workforce and business partners understand and carry out expected privacy practices, and to assist covered entities in developing a notice of information practices.

The scale of the policies developed should be consistent with the size of the covered entity. For example, a smaller employer could develop policies restricting access to health plan information to one designated employee, empowering that employee to deny release of the information to corporate executives and managers unless required for health plan administration. Larger employers could have policies that include using contractors for any function that requires access to protected health information or requiring all reports they receive for plan administration to be de-identified unless individual authorization is obtained.

We are proposing general guidelines for covered entities to develop and document their own policies and procedures. We considered a more uniform, prescriptive approach but concluded that a single approach would be neither effective in safeguarding protected health information nor appropriate given the vast differences among covered entities in size, business practices and level of sophistication. It is important that each covered entity’s internal policies and procedures for implementing the requirements of this regulation are tailored to the nature and number of its business arrangements, the size of its patient population, its physical plant and computer system, the size and characteristics of its workforce, whether it has one or many locations, and similar factors. The internal policies and procedures appropriate for a clearinghouse would not be appropriate for a physician practice; the internal policies and procedures appropriate for a large, multi-state health plan would not be appropriate for a smaller, local health plan.

After evaluating the requirements of federal, State, or other applicable laws, covered entities should develop policies and procedures that are appropriate for their size, type, structure, and business arrangements. Once a covered plan or provider has developed and documented all of the policies and procedures as required in this section, it would have compiled all of the information needed to develop the notice of information practices required in § 164.512. The notice is intended to include a clear and concise summary of many of the policies and procedures discussed in this section. Further, if an individual has any questions about the entity’s privacy policies that are not addressed by the notice, a representative of the entity could easily refer to the documented policies and procedures for additional information.

Before making a material change in a policy or procedure, the covered entity would, in most instances, be required to make the appropriate changes to the documentation required by this section before implementing the change. In addition, covered plans and providers would be required to revise their notice of information practices in advance. Where the covered entity determines that a compelling reason exists to take an action that is inconsistent with its documentation or notice before making the necessary changes, it could take such action if it documents the reasons supporting the action and makes the necessary changes within 30 days of taking such action.

In an attempt to ensure that large entities develop coordinated and comprehensive policies and procedures as required by this section, we considered proposing that entities with annual receipts greater than $5 million 35 be required to have a privacy board review and approve the documentation of policies and procedures. As originally conceived, the privacy board would only serve to review research protocols as described in § 164.510(j). We believe that such a board could also serve as “privacy experts” for the covered entity and could review the entity’s documented policies and procedures. In this capacity, the overriding objective of the board would be to foster development of up-to-date, individualized policies that enable the organization to protect health information without unnecessarily interfering with the treatment and payment functions or business needs. This type of review is particularly important for large entities who would have to coordinate policies and procedures among a large staff, but smaller organizations would be encouraged, but not required, to take a similar approach (i.e., have a widely representative group participate in the development and/or review of the organization’s internal privacy policies and the documentation thereof). We solicit comment on this proposal.

We also considered requiring the covered entity to make its documentation available to persons outside the entity upon request. We rejected this approach because covered entities should not be required to share their operating procedures with the public, or with their competitors.

We recognize that the documentation requirement in this proposed rule would impose some paperwork burden on covered plans and providers. However, we believe that it is necessary to ensure that covered plans and providers establish privacy policies and procedures in advance of any requests for disclosure, authorization, or subject access. It is also necessary to ensure that covered entities and members of their workforce have a clear understanding of the permissible uses and disclosures of protected health information and their duty to protect the privacy of such information under specific circumstances.