We propose to require covered entities to document their policies and procedures for complying with the applicable administrative requirements in proposed § 164.518. This would include designation of the privacy official required by § 164.518(a) including a description of his or her responsibilities; a description of how the entity would comply with the training and certification requirements for members of its workforce under § 164.518(b); a description of the covered entity’s safeguards required by § 164.518(c); a description of how the covered plan or provider would meet the requirements of § 164.518(d) to receive individual’s complaints; a description of how the covered entity would meet the requirements for sanctioning members of its workforce under § 164.518(e); and a description of how the covered entity would take steps to mitigate any deleterious effect of a use or disclosure of protected health information as required by § 164.518(f).
The documentation would also address how access to protected health information is regulated by the entity, including safeguards, including the procedures that would be required by proposed § 164.518. For covered entities that are part of a larger organization that is not a covered entity (e.g., an on-site clinic at a university or the group health plan component of an employer), we would require such entities to develop and document policies and procedures that ensure that protected health information does not flow outside the health care component of the organization in violation of this proposed rule. For example, a school-based health clinic should have policies and procedures to prevent treatment information from crossing over into the school’s record system.
Many disclosures would require verification of the identity of the person making the request, and sometimes also verification of the legal authority behind the request. The documentation required by this section would include a description of the entity’s verification policies (e.g., what proof would be acceptable), and who would be responsible for ensuring that the necessary verification has occurred before the information is disclosed.