Health Information Management

What documentation do the HIPAA regulations require?

HIPAA Weekly Advisor, September 26, 2003

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: What documentation do the HIPAA regulations require?

A: The rules require that covered entities maintain their policies and procedures in written or electronic form as well as the following:

  • Maintain written or electronic copies of communications that the rules require to be in writing
  • Maintain written or electronic records of actions, activities, or designations the rules require to be documented

    Covered entities must retain all documentation required by the regulations for six years from the date of its creation or six years from the date when it last was in effect, whichever is later. Note that this six-year requirement pertains only to documentation required by the HIPAA regulations and not to medical records, for instance. This documentation includes the following:

  • HIPAA policies and procedures
  • Policies and procedures for minimum necessary uses by your work force
  • Accounting documentation which includes (a) the information required in any accounting (i.e., dates of disclosures, name of entity receiving disclosures; description, etc.); (b) the written accounting that is provided to the individual; and (c) the titles of the persons or offices responsible for receiving and processing requests for an accounting by individuals
  • Amendment documentation, including amendment requests and supplemental material received, such as statements of disagreement and rebuttal statements, approval or denial notices
  • All complaints received and their disposition, if any
  • All contracts and addenda to existing contracts with business associates and limited data set users, as well as amendments, renewals, revisions, and terminations
  • The name and title of the privacy official and contact person or office responsible for receiving complaints and providing information on the notice of privacy practices
  • Training provided (i.e., topics, dates, and, ideally, participants)
  • Sanctions imposed against noncomplying work force members
  • All versions of the notices of privacy practices and signed acknowledgments of receipt (if health care provider) and documentation when unable to obtain acknowledgement
  • The methods and results of analyses that justify release of de-identified information
  • Agreed-to restrictions on uses and disclosures of information and terminations of such restrictions
  • Access documentation, including the designated record sets subject to access by individuals; the titles of the persons or offices responsible for receiving and processing requests for access by individuals; access approval/denial notices and requests for review
  • The titles of the persons or offices responsible for receiving and processing requests for amendments by individuals
  • All signed authorizations and revocations
  • All approved confidential communication requests and terminations or revocations

    A group health plan is subject to the documentation requirements only with respect to its plan documents if it a) provides benefits solely through an issuer or health maintenance organization, and b) does not create, receive, or maintain PHI other than summary health information or information regarding enrollment and disenrollment.

    Editor's note: Brought to you by attorneys Marty Baxter and Gretchen McBeath at Bricker and Eckler, LLP and The Quality Management Consulting Group, Ltd.. E-mail: mbaxter@bricker.com or gmcbeath@bricker.com



    • Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

    • Briefings on APCs

      Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

    • Medical Records Briefing

      Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

    • Briefings on Coding Compliance Strategies

      Submitting improper Medicare documentaion can lead to denial of fees, payback, fines, and increased diligence from payers...

    • Briefings on HIPAA

      How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

    • APCs Weekly Monitor

      This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

    Most Popular

    Related Articles