HIPAA Privacy - Policies and Procedures 164.530(i)

Overview:
164.530(i)
Policies and Procedures.
All covered entities must have policies and procedures that are consistent with the requirements of the Breach Notification Rule.

Action Items:
1) Obtain and review the covered entity’s policies and procedures for evaluating the appropriate action under the Breach Notification Rule when there is an impermissible use or disclosure of PHI.
2) Obtain and review the covered entity’s policies and procedures for providing notifications to individuals, the media (if applicable), and the Secretary.
3) Obtain and review the covered entity’s policies and procedures for requiring business associates to report an impermissible use or disclosure of PHI to the covered entity and the covered entity’s process for handling such reports.

Related Documents:
1) Policies and procedures for evaluating the appropriate action under the Breach Notification Rule when there is an impermissible use or disclosure of PHI.
2) Policies and procedures for providing notifications to individuals, the media (if applicable), and the Secretary.
3) Policies and procedures for requiring business associates to report an impermissible use or disclosure of PHI to the covered entity and the covered entity’s process for handling such reports.

Additional Guidance:
Policies and Procedures
A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart.

Changes to Policies and Procedures
A covered entity must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of this subpart or subpart D of this part. When a covered entity changes a privacy practice that is stated in the notice described in § 164.520, and makes corresponding changes to its policies and procedures, it may make the changes effective for protected health information that it created or received prior to the effective date of the notice revision, if the covered entity has, in accordance with § 164.520(b)(1)(v)(C), included in the notice a statement reserving its right to make such a change in its privacy practices. A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (i)(5) of this section.

Changes in the Law
Whenever there is a change in law that necessitates a change to the covered entity's policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice required by § 164.520, the covered entity must promptly make the appropriate revisions to the notice in accordance with § 164.520(b)(3). Nothing in this paragraph may be used by a covered entity to excuse a failure to comply with the law.

Changes to Privacy Practices Stated in the Notice
To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: Ensure that the policy or procedure, as revised to reflect a change in the covered entity's privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications of this subpart; Document the policy or procedure, as revised, as required by paragraph (j) of this section; and Revise the notice as required by § 164.520(b)(3) to state the changed practice and make the revised notice available as required by § 164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice.