 |
164.528(b) |
|
 |
|
| |
|
Content of the Accounting: CE must provide
the individual with a written accounting that meets the following
requirements:
|
11.2.2.1.
|
Except as otherwise provided above, the
accounting must include disclosures of PHI that occurred during
the six years (or such shorter time period at the request
of the individual) prior to the date of the request for an
accounting, including disclosures to or by business associates
of the CE.
|
|
11.2.2.2.
|
Except as otherwise provided by ¶
11.2.1.3 and ¶ 11.2.1.4 the accounting must include for
each disclosure:
|
11.2.2.2.1.
|
The date of the disclosure;
|
|
11.2.2.2.2.
|
The name of the entity or person
who received the PHI and, if known, the address of such
entity or person;
|
|
11.2.2.2.3.
|
A brief description of the PHI
disclosed; and
|
|
11.2.2.2.4.
|
A brief statement of the purpose
of the disclosure that reasonably informs the individual
of the basis for the disclosure; or, in lieu of such
statement: (i) a copy of the individual's written authorization;
or (ii) a copy of a written request for a disclosure,
if any.
|
|
|
11.2.2.3.
|
If, during the period covered by the
accounting, the CE has made multiple disclosures of PHI to
the same person or entity for a single purpose, or pursuant
to a single authorization, the accounting may, with respect
to such multiple disclosures, provide:
|
11.2.2.3.1.
|
The information required in ¶
11.2.2.2 for the first disclosure during the accounting
period;
|
|
11.2.2.3.2.
|
The frequency, periodicity, or number
of the disclosures made during the accounting period;
and
|
|
11.2.2.3.3.
|
The date of the last such disclosure
during the accounting period.
|
|
|
|
164.528(b)(4)(i) |
|
|
|
| |
|
|
11.2.2.4.
|
If, during the period covered by the accounting,
the covered entity has made disclosures of PHI for a particular
research purpose in accordance with ¶ 9.8 for 50 or more
individuals, the accounting may, with respect to such disclosures
for which the protected health information about the individual
may have been included, provide: (1) The name of the protocol
or other research activity; (2) A description, in plain language,
of the research protocol or other research activity including
the purpose of the research and the criteria for selecting
particular records; (3) A brief description of the type of
protected health information that was disclosed; (4) The date
or period of time during which such disclosures occurred,
or may have occurred, including the date of the last such
disclosure during the accounting period; (5) The name, address,
and telephone number of the entity that sponsored the research
and of the researcher to whom the information was disclosed;
and (6) A statement that the protected health information
of the individual may or may not have been disclosed for a
particular protocol or other research activity. (ii) If the
covered entity provides an accounting for research disclosures,
in accordance with this section, and if it is reasonably likely
that PHI of the individual was disclosed for such research
protocol or activity, the covered entity shall, at the request
of the individual, assist in contacting the entity that sponsored
the research and the researcher.
|
|
|
| 164.528(c) |
|
|
|
|
|
|
Provision of the Accounting:
|
11.2.3.1.
|
CE must provide the individual with the
accounting requested no later than 60 days after receipt of
the request; or
|
|
11.2.3.2.
|
If CE is unable to provide the accounting
within 60 days after receipt of the request, the CE may extend
the time to provide the accounting by no more than 30 days,
provided that:
|
11.2.3.2.1.
|
CE, within 60 days after receipt
of the request, provides the individual with a
written statement of the reasons for the delay
and the date by which the CE will provide the
accounting; and
|
|
11.2.3.2.2.
|
CE may have only one such
extension of time for action on a request for
an accounting.
|
|
|
11.2.3.3. |
CE must provide the first accounting
to an individual in any 12 month period without charge. CE may
impose a reasonable, cost-based fee for each subsequent request
for an accounting by the same individual within the 12 month
period, provided that the CE informs the individual in advance
of the fee and provides the individual with an opportunity to
withdraw or modify the request for a subsequent accounting in
order to avoid or reduce the fee. |
|
|
164.528(d) |
|
|
|
| |
|
Documentation: CE must document the
following and retain the documentation for six years from the date
of its creation [¶ 11.3.10]:
|
11.2.4.1.
|
The information required to be included
in an accounting for disclosures of PHI that are subject to
an accounting;
|
|
11.2.4.2.
|
The written accounting that is provided
to an individual; and
|
|
11.2.4.3.
|
The titles of the persons or offices
responsible for receiving and processing requests for an accounting
by individuals.
|
|
|
164.530
164.530(a) |
|
|
|
|
|
Administrative Requirements:
|
|
Required Personnel Designations:
CE must designate, and document, according to ¶ 11.3.10,
designations of:
|
11.3.1.1.
|
Privacy Official: Responsible for
development and implementation of the CE's policies
and procedures, and
|
|
11.3.1.2.
|
Contact person or office: Responsible
for receiving complaints under this section and able
to provide information relating to the Privacy Notice
[¶ 4].
|
|
|
|
164.530(b) |
|
|
|
|
|
|
Required Training: CE must train, and
document the training of, all workforce members on policies and
procedures relating to PHI as necessary and appropriate to their
work functions, as follows:
|
11.3.2.1.
|
To all workforce members by the applicable
compliance date for the CE;
|
|
11.3.2.2.
|
To each new member of the workforce within
a reasonable time upon joining the CE's workforce;
|
|
11.3.2.3.
|
To each workforce member whose functions
are affected by a material change in policies or procedures
required under the privacy regulations, within a reasonable
time after the material change becomes effective.
|
|
|
164.530(c) |
|
|
|
|
|
|
Safeguards to be in place: CE must have
in place appropriate administrative, technical and physical safeguards
to reasonably safeguard PHI from intentional or unintentional unauthorized
use or disclosure. The CE must reasonably safeguard PHI to limit
incidental uses or disclosures made pursuant to an otherwise permitted
or required use or disclosure.
|
|
164.530(d) |
|
|
|
|
|
|
Complaint Process: CE must provide a
process for individuals to make complaints about the CE's policies
and procedures required by the privacy regulations and/or the CE's
compliance with those policies and procedures, and must document
all complaints received and disposition of same, if any.
|
|
| 164.530(e) |
|
|
|
|
|
|
Sanctions to be in place: CE must have,
apply, and document application of appropriate sanctions against
its workforce members who fail to comply with the CE's privacy policies
and procedures or the requirements of the privacy regulations; NOTE:
This standard does not apply to workforce members' actions
meeting the requirements of the sections relating to disclosures
by whistleblowers and workforce member crime victims [164.502(j)/
¶ 3.3.], or intimidating and retaliatory acts [164.530(g)(2)/
¶ 11.3.7.2.].
|
|
| 164.530(f) |
|
|
|
|
|
|
Mitigation of harmful effects: CE must
mitigate, to extent practicable, any harmful effects that are known
to the CE of unauthorized uses/disclosures of PHI in violation of
its policies and procedures or the requirements of the privacy regulations
by CE or BA.
|
|
| 164.530(g) |
|
|
|
|
|
|
Intimidating or retaliatory acts prohibited:
CE may not intimidate, threaten, coerce, discriminate against or
take other retaliatory action against:
|
11.3.7.1.
|
Any individual for exercise of any right
or participation in any process established by the privacy
regulations; or
|
|
11.3.7.2.
|
Any individual or other person for: filing
a complaint with the Secretary of HHS; testifying, assisting,
or participating in investigation, compliance review, or proceeding/hearing
under the regulations, or; engaging in reasonable opposition
to any act or practice that the person in good faith believes
to be unlawful under the regulations, as long as such opposition
does not involve the disclosure of PHI in violation of privacy
regulations.
|
|
|
| 164.530(h) |
|
|
|
|
|
|
Waiver of Rights prohibited: CE may
not require individuals to waive any of their rights to file a complaint
with the secretary of HHS or otherwise under these regulations as
a condition of treatment, payment, enrollment, or eligibility for
benefits.
|
|
| |
|
|
|
|
| |
|
|
|
|
