In § 164.520 of the NPRM, we proposed to require covered entities to develop and document their policies and procedures for implementing the requirements of the rule. In the final regulation we retain this approach, but specify which standards must be documented in each of the relevant sections. In this section, we state the general administrative requirements applicable to all policies and procedures required throughout the regulation.
In § 164.530(i), (j), and (k) of the final rule, we amend the NPRM language in several respects. In § 164.530(i) we require that the policies and procedures be reasonably designed to comply with the standards, implementation specifications, and other requirements of the relevant part of the regulation, taking into account the size of the covered entity and the nature of the activities undertaken by the covered entity that relate to protected health information. However, we clarify that the requirements that policies and procedures be reasonably designed may not be interpreted to permit or excuse any action that violates the privacy regulation. Where the covered entity has stated in its notice that it reserves the right to change information practices, we allow the new practice to apply to information created or collected prior to the effective date of the new practice and establish requirements for making this change. We also establish the conditions for making changes if the covered entity has not reserved the right to change its practices.
We require covered entities to modify in a prompt manner their policies and procedures to comply with changes in relevant law and, where the change also affects the practices stated in the notice, to change the notice. We make clear that nothing in our requirements regarding changes to policies and procedures or changes to the notice may be used by a covered entity to excuse a failure to comply with applicable law.
In § 164.530(j), we require that the policies and procedures required throughout the regulation be maintained in writing, and that any other communication, action, activity, or designation that must be documented under this regulation be documented in writing. We note that "writing" includes electronic storage; paper records are not required. We also note that, if a covered entity is required to document the title of a person, we mean the job title or similar description of the relevant position or office.
We require covered entities to retain any documentation required under this rule for at least six years (the statute of limitations period for the civil penalties) from the date of the creation of the documentation, or the date when the document was last in effect, which ever is later. This generalizes the NPRM provision to cover all documentation required under the rule. The language on "last was in effect" is a change from the NPRM which was worded "unless a longer period applies under this subpart."
This approach is consistent with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations, and the National Committee for Quality Assurance, in its paper "Protecting Personal Health Information; A framework for Meeting the Challenges in a Managed Care Environment." This paper notes that "MCOs [Managed Care Organizations] should have clearly defined policies and procedures for dealing with confidentiality issues." (p. 29).