 |
164.530(i) |
|
 |
|
|
|
|
Necessary Policies and Procedures:
|
11.3.9.1.
|
CE must design and implement policies
and procedures relating to PHI to comply with requirements
of the privacy regulations, taking into account the size and
the types of activities that relate to PHI engaged in by the
CE. (This standard is not to be construed to permit or excuse
an action that violates any other standard, implementation,
specification, or other requirement of the privacy regulations.)
|
|
|
Changes to Policies and Procedures:
|
11.3.9.2.1.
|
CE must change its policies and
procedures as necessary and appropriate to changes in
the law/regulations. Whenever there is a change
in law that necessitates a change to CE's policies
and procedures, CE must promptly document and implement
the revised policy or procedure; if the change materially
affects the content of the Privacy Notice [¶ 4.2.],
the CE must promptly make appropriate revisions to the
notice in accordance with 164.520(b)(3) [¶ 4.2.10.].
|
|
11.3.9.2.2.
|
When CE changes its privacy practices
as stated in its Privacy Notice, and makes corresponding
changes in policies and procedures, changes may be effective
as to PHI created or received prior to the effective
date of the policy/procedure changes and notice revision
if its Privacy Notice includes a statement reserving
the right to make changes in the CE's privacy practices.
To implement change in privacy practice, and corresponding
changes in policies/procedures, CE must ensure that
revised policies and procedures comply with the regulations,
document the revised policies and procedures, revise
the Privacy Notice and make it available; changes to
policies and procedures may not be implemented prior
to the effective date of the revised notice.
|
|
11.3.9.2.3.
|
If CE has not reserved right to
change privacy practices, CE is bound by privacy practices
as stated in Privacy Notice with regard to PHI created
or received while notice is in effect; CE may change
a privacy practice without having reserved the right
to do so as long as the practice is in compliance with
the regulations and is effective only with respect to
PHI created or received after the effective date of
the notice (¶ 4.2.8).
|
|
11.3.9.2.4.
|
CE may change policies and procedures
that do not materially affect the content of the Privacy
Notice provided that the revised policies and procedures
comply with the regulations and are properly documented.
|
|
|
|
| 164.530(j) |
|
|
|
| |
|
Documentation Requirements: CE must maintain
the required policies and procedures in written or electronic form,
and must maintain written or electronic copies of all communications,
actions, activities, or designations that are required to be documented
under the regulations, for a period of six years from the later
of the date of creation or the last effective date.
|
|
| 164.530(k) |
|
|
|
|
|
|
Group Health Plans: To the extent that
a group health plan provides health benefits solely through an insurance
contract with a health insurance issuer or HMO, and the plan does
not create or receive PHI except for summary health information
(defined in 164.504(a)/¶ 10.1.7.) or information on the individual's
participation in the plan, or enrollment and disenrollment from
a health insurance issuer or HMO offered by the plan:
|
11.3.11.1.
|
The group health plan is not subject to
the provisions requiring personnel designations, training,
safeguards, complaint process, sanctions, mitigation, and
policies and procedures, described in ¶ 11.3; and
|
|
11.3.11.2.
|
The group health plan is subject to the
documentation standard only with respect to plan documents
amended in accordance with 164.504(f) [relating to sharing
of information among or between a group health plan, the plan
sponsor, a health insurance issuer, and/or an HMO [¶
10.6.]
|
|
|
| |
|
|
|
|
| |
|
|
|
|
