[Code of Federal Regulations]
[Title 45, Volume 1]
[Revised as of October 1, 2001]
From the U.S. Government Printing Office via GPO Access
[CITE: 45CFR164.530]
[Page 725-728]
TITLE 45--PUBLIC WELFARE
SUBTITLE A--DEPARTMENT OF HEALTH
AND HUMAN SERVICES
PART 164--SECURITY AND PRIVACY--Table of Contents
Subpart E--Privacy of Individually Identifiable Health Information
Sec. 164.530 Administrative requirements.
(a)(1) Standard: Personnel designations. (i) A covered entity must
designate a privacy official who is responsible for the development and
implementation
[[Page 726]]
of the policies and procedures of the entity.
(ii) A covered entity must designate a contact person or office who
is responsible for receiving complaints under this section and who is
able to provide further information about matters covered by the notice
required by Sec. 164.520.
(2) Implementation specification: Personnel designations. A covered
entity must document the personnel designations in paragraph (a)(1) of
this section as required by paragraph (j) of this section.
(b)(1) Standard: Training. A covered entity must train all members
of its workforce on the policies and procedures with respect to
protected health information required by this subpart, as necessary and
appropriate for the members of the workforce to carry out their function
within the covered entity.
(2) Implementation specifications: Training. (i) A covered entity
must provide training that meets the requirements of paragraph (b)(1) of
this section, as follows:
(A) To each member of the covered entity's workforce by no later
than the compliance date for the covered entity;
(B) Thereafter, to each new member of the workforce within a
reasonable period of time after the person joins the covered entity's
workforce; and
(C) To each member of the covered entity's workforce whose functions
are affected by a material change in the policies or procedures required
by this subpart, within a reasonable period of time after the material
change becomes effective in accordance with paragraph (i) of this
section.
(ii) A covered entity must document that the training as described
in paragraph (b)(2)(i) of this section has been provided, as required by
paragraph (j) of this section.
(c)(1) Standard: Safeguards. A covered entity must have in place
appropriate administrative, technical, and physical safeguards to
protect the privacy of protected health information.
(2) Implementation specification: Safeguards. A covered entity must
reasonably safeguard protected health information from any intentional
or unintentional use or disclosure that is in violation of the
standards, implementation specifications or other requirements of this
subpart.
(d)(1) Standard: Complaints to the covered entity. A covered entity
must provide a process for individuals to make complaints concerning the
covered entity's policies and procedures required by this subpart or its
compliance with such policies and procedures or the requirements of this
subpart.
(2) Implementation specification: Documentation of complaints. As
required by paragraph (j) of this section, a covered entity must
document all complaints received, and their disposition, if any.
(e)(1) Standard: Sanctions. A covered entity must have and apply
appropriate sanctions against members of its workforce who fail to
comply with the privacy policies and procedures of the covered entity or
the requirements of this subpart. This standard does not apply to a
member of the covered entity's workforce with respect to actions that
are covered by and that meet the conditions of Sec. 164.502(j) or
paragraph (g)(2) of this section.
(2) Implementation specification: Documentation. As required by
paragraph (j) of this section, a covered entity must document the
sanctions that are applied, if any.
(f) Standard: Mitigation. A covered entity must mitigate, to the
extent practicable, any harmful effect that is known to the covered
entity of a use or disclosure of protected health information in
violation of its policies and procedures or the requirements of this
subpart by the covered entity or its business associate.
(g) Standard: Refraining from intimidating or retaliatory acts. A
covered entity may not intimidate, threaten, coerce, discriminate
against, or take other retaliatory action against:
(1) Individuals. Any individual for the exercise by the individual
of any right under, or for participation by the individual in any
process established by this subpart, including the filing of a complaint
under this section;
(2) Individuals and others. Any individual or other person for:
(i) Filing of a complaint with the Secretary under subpart C of part
160 of this subchapter;
[[Page 727]]
(ii) Testifying, assisting, or participating in an investigation,
compliance review, proceeding, or hearing under Part C of Title XI; or
(iii) Opposing any act or practice made unlawful by this subpart,
provided the individual or person has a good faith belief that the
practice opposed is unlawful, and the manner of the opposition is
reasonable and does not involve a disclosure of protected health
information in violation of this subpart.
(h) Standard: Waiver of rights. A covered entity may not require
individuals to waive their rights under Sec. 160.306 of this subchapter
or this subpart as a condition of the provision of treatment, payment,
enrollment in a health plan, or eligibility for benefits.
(i)(1) Standard: Policies and procedures. A covered entity must
implement policies and procedures with respect to protected health
information that are designed to comply with the standards,
implementation specifications, or other requirements of this subpart.
The policies and procedures must be reasonably designed, taking into
account the size of and the type of activities that relate to protected
health information undertaken by the covered entity, to ensure such
compliance. This standard is not to be construed to permit or excuse an
action that violates any other standard, implementation specification,
or other requirement of this subpart.
(2) Standard: Changes to policies or procedures. (i) A covered
entity must change its policies and procedures as necessary and
appropriate to comply with changes in the law, including the standards,
requirements, and implementation specifications of this subpart;
(ii) When a covered entity changes a privacy practice that is stated
in the notice described in Sec. 164.520, and makes corresponding changes
to its policies and procedures, it may make the changes effective for
protected health information that it created or received prior to the
effective date of the notice revision, if the covered entity has, in
accordance with Sec. 164.520(b)(1)(v)(C), included in the notice a
statement reserving its right to make such a change in its privacy
practices; or
(iii) A covered entity may make any other changes to policies and
procedures at any time, provided that the changes are documented and
implemented in accordance with paragraph (i)(5) of this section.
(3) Implementation specification: Changes in law. Whenever there is
a change in law that necessitates a change to the covered entity's
policies or procedures, the covered entity must promptly document and
implement the revised policy or procedure. If the change in law
materially affects the content of the notice required by Sec. 164.520,
the covered entity must promptly make the appropriate revisions to the
notice in accordance with Sec. 164.520(b)(3). Nothing in this paragraph
may be used by a covered entity to excuse a failure to comply with the
law.
(4) Implementation specifications: Changes to privacy practices
stated in the notice. (i) To implement a change as provided by paragraph
(i)(2)(ii) of this section, a covered entity must:
(A) Ensure that the policy or procedure, as revised to reflect a
change in the covered entity's privacy practice as stated in its notice,
complies with the standards, requirements, and implementation
specifications of this subpart;
(B) Document the policy or procedure, as revised, as required by
paragraph (j) of this section; and
(C) Revise the notice as required by Sec. 164.520(b)(3) to state the
changed practice and make the revised notice available as required by
Sec. 164.520(c). The covered entity may not implement a change to a
policy or procedure prior to the effective date of the revised notice.
(ii) If a covered entity has not reserved its right under
Sec. 164.520(b)(1)(v)(C) to change a privacy practice that is stated in
the notice, the covered entity is bound by the privacy practices as
stated in the notice with respect to protected health information
created or received while such notice is in effect. A covered entity may
change a privacy practice that is stated in the notice, and the related
policies and procedures, without having reserved the right to do so,
provided that:
[[Page 728]]
(A) Such change meets the implementation the requirements in
paragraphs (i)(4)(i)(A)-(C) of this section; and
(B) Such change is effective only with respect to protected health
information created or received after the effective date of the notice.
(5) Implementation specification: Changes to other policies or
procedures. A covered entity may change, at any time, a policy or
procedure that does not materially affect the content of the notice
required by Sec. 164.520, provided that:
(i) The policy or procedure, as revised, complies with the
standards, requirements, and implementation specifications of this
subpart; and
(ii) Prior to the effective date of the change, the policy or
procedure, as revised, is documented as required by paragraph (j) of
this section.
(j)(1) Standard: Documentation. A covered entity must:
(i) Maintain the policies and procedures provided for in paragraph
(i) of this section in written or electronic form;
(ii) If a communication is required by this subpart to be in
writing, maintain such writing, or an electronic copy, as documentation;
and
(iii) If an action, activity, or designation is required by this
subpart to be documented, maintain a written or electronic record of
such action, activity, or designation.
(2) Implementation specification: Retention period. A covered entity
must retain the documentation required by paragraph (j)(1) of this
section for six years from the date of its creation or the date when it
last was in effect, whichever is later.
(k) Standard: Group health plans. (1) A group health plan is not
subject to the standards or implementation specifications in paragraphs
(a) through (f) and (i) of this section, to the extent that:
(i) The group health plan provides health benefits solely through an
insurance contract with a health insurance issuer or an HMO; and
(ii) The group health plan does not create or receive protected
health information, except for:
(A) Summary health information as defined in Sec. 164.504(a); or
(B) Information on whether the individual is participating in the
group health plan, or is enrolled in or has disenrolled from a health
insurance issuer or HMO offered by the plan.
(2) A group health plan described in paragraph (k)(1) of this
section is subject to the standard and implementation specification in
paragraph (j) of this section only with respect to plan documents
amended in accordance with Sec. 164.504(f).