§164.530(i)(1) Standard: Policies and procedures. A covered entity must implement policies and procedures with respect to protected health information that are designed to comply with the standards, implementation specifications, or other requirements of this subpart and subpart D of this part. The policies and procedures must be reasonably designed, taking into account the size and the type of activities that relate to protected health information undertaken by a covered entity, to ensure such compliance. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirement of this subpart.
(2) Standard: Changes to policies and procedures. (i) A covered entity must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of this subpart or subpart D of this part. (ii) When a covered entity changes a privacy practice that is stated in the notice described in § 164.520, and makes corresponding changes to its policies and procedures, it may make the changes effective for protected health information that it created or received prior to the effective date of the notice revision, if the covered entity has, in accordance with § 164.520(b)(1)(v)(C), included in the notice a statement reserving its right to make such a change in its privacy practices; or (iii) A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (i)(5) of this section.
(3) Implementation specification: Changes in law. Whenever there is a change in law that necessitates a change to the covered entity’s policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of the notice required by § 164.520, the covered entity must promptly make the appropriate revisions to the notice in accordance with § 164.520(b)(3). Nothing in this paragraph may be used by a covered entity to excuse a failure to comply with the law.
(4) Implementation specifications: Changes to privacy practices stated in the notice. (i) To implement a change as provided by paragraph (i)(2)(ii) of this section, a covered entity must: (A) Ensure that the policy or procedure, as revised to reflect a change in the covered entity’s privacy practice as stated in its notice, complies with the standards, requirements, and implementation specifications of this subpart; (B) Document the policy or procedure, as revised, as required by paragraph (j) of this section; and (C) Revise the notice as required by § 164.520(b)(3) to state the changed practice and make the revised notice available as required by § 164.520(c). The covered entity may not implement a change to a policy or procedure prior to the effective date of the revised notice. (ii) If a covered entity has not reserved its right under § 164.520(b)(1)(v)(C) to change a privacy practice that is stated in the notice, the covered entity is bound by the privacy practices as stated in the notice with respect to protected health information created or received while such notice is in effect. A covered entity may change a privacy practice that is stated in the notice, and the related policies and procedures, without having reserved the right to do so, provided that: (A) Such change meets the implementation specifications in paragraphs (i)(4)(i)(A)-(C) of this section; and (B) Such change is effective only with respect to protected health information created or received after the effective date of the notice.
(5) Implementation specification: Changes to other policies or procedures. A covered entity may change, at any time, a policy or procedure that does not materially affect the content of the notice required by § 164.520, provided that: (i) The policy or procedure, as revised, complies with the standards, requirements, and implementation specifications of this subpart; and (ii) Prior to the effective date of the change, the policy or procedure, as revised, is documented as required by paragraph (j) of this section.
Audit Inquiry
Has the covered entity implemented policies and procedures with respect to PHI that are designed to comply with the standards, implementation specifications, and other requirements of the HIPAA Privacy Rule?
Obtain and review documentation that, consistent with the established performance criterion address the following:
– The policies and procedures are reasonably designed to ensure compliance for the size and type of activities performed.
– The entity changes these policies and procedures as necessary to comply with changes in the law.
– The entity documents and implements such changes promptly.
– Any corresponding material changes are made to the notice of privacy practices.
Obtain copies of policies and procedures in place in the previous calendar year and January 1, 2012, and the corresponding notices of privacy practices in effect on those dates. Determine whether material changes (e.g., for health plans, limits on use of genetic information for underwriting purposes; for health care providers, that a request for restriction must be accepted in certain situations) required by the HITECH omnibus rule are incorporated into the recent policies and procedures and are reflected in the notice of privacy practices.
Required/Addressable
Required