What are the requirements for maintaining HIPAA-related policies and procedures?
HIPAA Weekly Advisor, May 9, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What are the privacy rule requirements for maintaining HIPAA-related policies and procedures?
A: With respect to protected health information (PHI), covered entities must implement policies and procedures that are designed to comply with the standards, implementation specifications, or other requirements of the rule. (This requirement does not apply to certain group health plans.) The policies and procedures must be reasonably designed, taking into account the size of and the type of activities that relate to PHI, to ensure compliance.
Covered entities must change policies and procedures as necessary to comply with changes in the law, including the standards, requirements, and implementation specifications of the regulations. In addition, the rule states that covered entities may make any other changes to policies and procedures at any time.
Whenever a change in law necessitates a change to a covered entity's policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice of privacy practices, the covered entity must promptly make the appropriate revisions to the notice.
A group health plan that provides benefits solely through an issuer or health maintenance organization (HMO), and does not create, receive, or maintain PHI other than summary health information or information regarding enrollment and disenrollment is exempt from the policies and procedures requirements.
Editor's note: Brought to you by attorneys Marty Baxter and Gretchen McBeath at Bricker and Eckler, LLP and The Quality Management Consulting Group, Ltd.. E-mail: mbaxter@bricker.com or gmcbeath@bricker.com
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- HIPAA Q&A: Level of encryption needed for email
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Hospitals are not bound by InterQual criteria for determining patient status
- ED-to-inpatient transfers are flawed with safety gaps
- Searched