Overview:
§164.524(e)
Implementation specification: Documentation.
A covered entity must document the following and retain the documentation as required by §164.530(j): (1) the designated record sets that are subject to access by individuals; and (2) the titles of the persons or offices responsible for receiving and processing requests for access by individuals.
Action Items:
1) Obtain and review documentation of the current designated record sets subject to access, as well as documentation for the last 6 years (as applicable).
2) Obtain and review policies and procedures to determine if a person or office is specified to process requests for access to PHI. Obtain the name or office specified for each year over the preceding 6-year documentation period.
Related Documents:
1) Documentation of the current designated record sets subject to access, as well as documentation for the last 6 years (as applicable).
2) Policies and procedures to determine if a person or office is specified to process requests for access to PHI.
Additional Guidance:
A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
Article ID: 568
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-privacy-documentation-164-524-e-568.html