NRPM: Standards for Privacy of Individually Identifiable Health Information. 8. Record keeping requirements.


We propose record keeping requirements related to several provisions. In addition to the documentation of policies and procedures described above, we would require covered entities, as applicable, to: document restrictions on uses and disclosures agreed to pursuant to § 164.506(c); maintain copies of authorization forms and signed authorizations (§ 164.508) and contracts used with business partners (§ 164.506(e)); maintain notices of information practices developed under § 164.512; maintain written statements of denials of requests for inspection and copying pursuant to § 164.514; maintain any response made to a request from an individual for amendment or correction of information, either in the form of the correction or amendment or the statement of the reason for denial and, if supplied, the individual's statement of disagreement, for as long as the protected health information is maintained (§ 164.516); maintain signed certifications by members of the workforce required by § 164.518(b); and, maintain a record of any complaints received (§ 164.518(d)). Unless otherwise addressed in this proposal, covered entities would be required to retain these documents for six years, which is the statute of limitations period for the civil penalties. We note that additional records or compliance reports may be required by the Secretary for enforcement of this rule. (§ 164.522(d)(1)).