NRPM: Standards for Privacy of Individually Identifiable Health Information. H. Development and documentation of policies and procedures. (§ 164.520)


In proposed § 164.520, we would require covered entities to develop and document their policies and procedures for implementing the requirements of this rule. This requirement is intended as a tool to facilitate covered entities’ efforts to develop appropriate policies to implement this rule, to ensure that the members of its workforce and business partners understand and carry out expected privacy practices, and to assist covered entities in developing a notice of information practices.

The scale of the policies developed should be consistent with the size of the covered entity. For example, a smaller employer could develop policies restricting access to health plan information to one designated employee, empowering that employee to deny release of the information to corporate executives and managers unless required for health plan administration. Larger employers could have policies that include using contractors for any function that requires access to protected health information or requiring all reports they receive for plan administration to be de-identified unless individual authorization is obtained.

Clearly, implementation of these requirements would differ significantly based on the size, capabilities and activities of each covered entity. A solo practitioner's documentation of her policies and procedures could provide relatively straightforward statements, such as;

this practice does not use or disclose any protected health information that is not authorized or permitted under the federal privacy regulation and therefore does not request any authorized disclosures from patients. Staff R.N. reviews all individually authorized requests for disclosures to ensure they contain all required elements and reviews the copied information to ensure only authorized information is released in response. Information requests that would require extensive redaction will be denied.

Larger entities with many functions and business relationships and who are subject to multi-state reporting and record-keeping requirements would need to develop and document more extensive policies. A health plan would need to describe all activities that would be considered health care operations and identify the use and disclosure requirements of each activity. A health plan may determine that underwriting department employees must provide a written request, approved by a team leader, to access any identifiable claims information; that such requests must be retained and reviewed every quarter for appropriateness; and the underwriting department must destroy such information after use for an approved activity. We urge professional associations to develop model policies, procedures and documentation for their members of all sizes.

We are proposing general guidelines for covered entities to develop and document their own policies and procedures. We considered a more uniform, prescriptive approach but concluded that a single approach would be neither effective in safeguarding protected health information nor appropriate given the vast differences among covered entities in size, business practices and level of sophistication. It is important that each covered entity’s internal policies and procedures for implementing the requirements of this regulation are tailored to the nature and number of its business arrangements, the size of its patient population, its physical plant and computer system, the size and characteristics of its workforce, whether it has one or many locations, and similar factors. The internal policies and procedures appropriate for a clearinghouse would not be appropriate for a physician practice; the internal policies and procedures appropriate for a large, multi-state health plan would not be appropriate for a smaller, local health plan.

After evaluating the requirements of federal, State, or other applicable laws, covered entities should develop policies and procedures that are appropriate for their size, type, structure, and business arrangements. Once a covered plan or provider has developed and documented all of the policies and procedures as required in this section, it would have compiled all of the information needed to develop the notice of information practices required in § 164.512. The notice is intended to include a clear and concise summary of many of the policies and procedures discussed in this section. Further, if an individual has any questions about the entity’s privacy policies that are not addressed by the notice, a representative of the entity can easily refer to the documented policies and procedures for additional information.

Before making a material change in a policy or procedure, the covered entity would, in most instances, be required to make the appropriate changes to the documentation required by this section before implementing the change. In addition, covered plans and providers would be required to revise their the notice of information practices in advance. Where the covered entity determines that a compelling reason exists to take an action that is inconsistent with its documentation or notice before making the necessary changes, it may take such action if it documents the reasons supporting the action and makes the necessary changes within 30 days of taking such action.

In an attempt to ensure that large entities develop coordinated and comprehensive policies and procedures as required by this section, we considered proposing that entities with annual receipts greater than $5 million 1 be required to have a privacy board review and approve the documentation of policies and procedures. As originally conceived, the privacy board would only serve to review research protocols as described in § 164.510(j). We believe that such a board could also serve as “privacy experts” for the covered entity and could review the entity’s documented policies and procedures. In this capacity, the overriding objective of the board would be to foster development of up-to-date, individualized policies that enable the organization to protect health information without unnecessarily interfering with the treatment and payment functions or business needs. This type of review is particularly important for large entities who would have to coordinate policies and procedures among a large staff, but smaller organizations would be encouraged, but not required, to take a similar approach (i.e., have a widely representative group participate in the development and/or review of the organization’s internal privacy policies and the documentation thereof). We solicit comment on this proposal.

We also considered requiring the covered entity to make its documentation available to persons outside the entity upon request. We rejected this approach because covered entities should not be required to share their operating procedures with the public, or with their competitors.

We recognize that the documentation requirement in this proposed rule would impose some paperwork burden on covered plans and providers. However, we believe that it is necessary to ensure that covered plans and providers establish privacy policies procedures in advance of any requests for disclosure, authorization, or subject access. It is also necessary to ensure that covered entities and members of their workforce have a clear understanding of the permissible uses and disclosures of protected health information and their duty to protect the privacy of such information under specific circumstances.