The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.
Organizational Requirements under the Privacy Rule
These are the rules and regulations that a healthcare provider must follow in regards to their internal organizational practices.
Designate a Privacy Official
The healthcare provider must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.
The provider must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the privacy notice.
The provider must document the designation of the specific privacy official including their contact information.
The healthcare provider must train all members of its workforce on the policies and procedures with respect to protected health information, as necessary and appropriate for the members of the workforce to carry out their functions within the organization.
The provider must provide training as follows:
The provider must document that the training has been provided.
The healthcare provider must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
The providers must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements.
The provider must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
The healthcare provider must provide a process for individuals to make complaints concerning the provider’s policies and procedures or its compliance with such policies and procedures.
The provider must document all complaints received, and their disposition, if any.
The provider must have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the organization or the requirements of the rule.
This standard does not apply to a member of the workforce with respect to actions that are covered by and that meet the conditions of the whistle blower section.
The provider must document the sanctions that are applied, if any.
Refraining from intimidating or retaliatory acts
The healthcare provider must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements by the covered entity or its business associate.
Waiver of Rights
The healthcare provider may not require individuals to waive their rights under the Privacy Rule, as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.
Policies and Procedures
Thea healthcare provider must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of the rule. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement.
Changes to Policies and Procedures
The healthcare provider must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of the Privacy Rule.
When a provider changes a privacy practice that is stated in the notice, and makes corresponding changes to its policies and procedures, it may make the changes effective for protected health information that it created or received prior to the effective date of the notice revision, if the covered entity has included in the notice a statement reserving its right to make such a change in its privacy practices; or
The provider may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented according to the procedures below.
Changes in Law
Whenever there is a change in law that necessitates a change to the provider’s policies or procedures, the provider must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the privacy notice required by, the provider must promptly make the appropriate revisions to the notice.
Changes to Privacy Practices Stated in the Notice
To implement a change to the notice of privacy practices, a provider must:
If a provider has not reserved its right to change a privacy practice that is stated in the notice, the provider is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A provider may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that:
Changes to other Policies or Procedures
A provider may change, at any time, a policy or procedure that does not materially affect the content of the notice, provided that:
A provider must:
A covered entity must retain the documentation for six (6) years from the date of its creation or the date when it last was in effect, whichever is later.
45 CFR §164.530