Get the low down on policy and procedures
HIPAA Weekly Advisor, April 5, 2004
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: Do the rules require us to prepare and maintain policies and procedures? Specifically, for which activities are we required to do so?
A: Yes, the rules state that a covered entity (except for certain group health plans) must implement policies and procedures with respect to PHI, that are designed to comply with the standards, implementation specifications, or other requirements of the rules. To ensure such compliance, the policies and procedures must be reasonably designed so as to take into account the size and type of the covered entity's activities as related to PHI.
There are numerous policies and procedures that are necessary to comply with the regulations, including policies and procedures regarding
* the point at which authorization is required, contents of authorization form, required signatures, and revocation of the authorization
* requests for access, designated record set subject to access, individual authorized to determine when information may be withheld, response time, and fees
* requests for an accounting, response time, fees, information that can be withheld, and that which must be included
* requests for confidential communications (e.g. when they will be approved, who will approve, termination, and exceptions)
* training requirements
* verification of identity of persons seeking disclosure of PHI
* application of appropriate sanctions for work force violations
* safeguards against intentional or unintentional misuse
* complaint process
* patients' rights to request restrictions on uses and disclosures of information, including policies on who may agree to a restriction on
behalf of the covered entity
* business-associate violations
* requests for amendments to PHI
* disclosures of PHI to family and friends of patients, or health plan enrollees
* explanation of the duty to mitigate and report privacy problems
* strategies for the facility directory
* fund-raising and marketing
* distribution of the notice of privacy practices
* minimum necessary uses and disclosures.
This question was provided by the law firm of Bricker & Ecker, LLP. Please visit http://www.bricker.com/legalservices/practice/hcare/hipaa/164.530i.asp for more information.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- HIPAA Q&A: Level of encryption needed for email
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- Identify potential Medicaid RAC target areas
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched