NRPM: Standards for Privacy of Individually Identifiable Health Information. i. Documentation requirements for covered entities.


We are proposing that covered entities be required to document policies and procedures in several important areas. These areas would include use within the entity; informing business partners; disclosures with and without authorization; limitations on use and disclosure for self- pay; inspection and copying; amendment or correction; accounting for uses and disclosures; notice development, maintenance, and dissemination; sanctions; and complaint procedures. We considered whether formal documentation of these policies would be necessary. A key factor in making this decision was determining the burden on entities, particularly the burden on small entities. We also considered whether it would be reasonable to exempt very small entities from this provision. For example, entities with fewer than ten employees could be able to effectively communicate policies and procedures verbally. We decided that we needed to include all entities in the provision because these documentation requirements are intended as tools to educate the management, employees, and business partners about the consideration that should be given to protecting the privacy of health information.