click
here
HIPAA
EDI Compliance, click here
HIPAA
QUESTIONS & ANSWERS click here
HIPAA Compliance Resources
HIPAA Basic Forms
Notice of Privacy Practices
Consent Insert
Authorization Form
Business Associate Addendum
HIPAA Compliance Checklists
Privacy Rule Checklist
Security Rule Checklist
Policy/Form Checklist
HIPAA Compliance Policies
Consent
Authorization
Notice
Complaints
Record Retention
Training
Privacy Officer Job Description
Patient Access to PHI
Alternative Means of Communication
Amendment/Correction of PHI
Restriction on Use and/or Disclosure of PHI
Accounting of Disclosures of PHI
Business Associates
Employee Training
Record Retention
Privacy Rule Overview
Minimum Necessary Standard
Marketing Practices
Destruction of Health Information
Technical & Physical Safeguards
HIPAA Compliance E-Vice Program
Email advice regarding HIPAA compliance –
Ten (10) questions per calendar year
OVERVIEW
OF THE FINAL AMENDMENTS TO THE HIPAA PRIVACY RULE
On August 14, 2002, the U.S. Department of Health and Human Services ("DHHS") published the final amendments to the HIPAA Privacy Rule. See 67 Fed. Reg. 53182 (August 14, 2002). The final amendments address the many public comments and criticisms received by DHHS in response to the final Privacy Rule. The final amendments attempt to respond to the industry's request that the administrative burden of the Rule be reduced while maintaining the individual privacy protections afforded by the Rule. Highlights of the final amendments are summarized briefly below.
A. Consent Form
Previous Requirement: A direct treatment health care provider was required to obtain a patient's written consent in order to use or disclose protected health information ("PHI") for the purpose of treatment, payment or health care operations.
Final Amendment: A direct treatment health care provider is not required to obtain the patient's written consent prior to using or disclosing PHI for treatment, payment or health care operations. However, the direct treatment health care provider is required to use “best efforts” to obtain the patient's written acknowledgment that he or she received the Notice of Privacy Practices.
The final amendment also permits a covered entity to disclose PHI without obtaining written patient consent:
1) To any health care provider for the purposes of that provider's treatment activities;
2) To another covered entity or to any provider for that entity's payment activities;
3) To another covered entity for specified health care operations (i.e., credentialing, quality assessment, fraud and abuse detection) as long as the other entity has a relationship with the patient.
B. Authorization Form
Previous Requirement: The authorization form requirements differed depending on whether the covered entity was requesting the authorization for: 1) its own purposes, 2) the purposes of another individual or entity; or 3) PHI created for research that included medical treatment of the research subject.
Final Amendment: The three different types of authorization forms can be combined into one form regardless of the purpose for obtaining the authorization.
C. Accounting of PHI Disclosures
Previous Requirement: An individual had the right to obtain an accounting of every disclosure of his/her PHI made by a covered entity during the six years preceding the request. The primary exceptions to the accounting requirement were that a covered entity was not required to include (1) disclosures made directly to the requesting individual or (2) disclosures made for the purposes of treatment, payment or health care operations.
Final Amendment: The exceptions to an accounting of disclosures are expanded to include any disclosure made pursuant to a written authorization form. This would essentially limit the accounting of disclosures to those disclosures made pursuant to § 164.512 of the Privacy Rule, a section that describes the limited conditions under which neither consent or authorization is required prior to use or disclosure (e.g., disclosures required by law).
D. Minimum Necessary Requirement
Previous Requirement: When using or disclosing PHI, a covered entity was required to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure. Concern had been expressed that the standard impeded customary and necessary communications (i.e., sign-in sheets, phone conversations) since such communications might inadvertently be seen or overhead by unauthorized individuals.
Final Amendment: The minimum necessary standard does not apply to uses or disclosures for which an authorization was obtained. Also, incidental use or disclosure of PHI is permitted if: (1) it is a secondary use or disclosure that cannot reasonably be prevented; (2) it occurs as the result of an otherwise permitted use or disclosure; and (3) the covered entity has implemented reasonable safeguards required by the Privacy Rule and otherwise adheres to the minimum necessary standard.
E. Business Associate Agreements
Previous Requirement: Covered entities were to have business associate agreements executed with all business associates by April 14, 2003.
Final Amendment: Written contracts with business associates that renew on or after April 14, 2003 are deemed compliant until the earlier of the contract renewal date or April 14, 2004. All new contracts, oral contracts and contracts that renew prior to April 14, 2003 must be in compliance with the business associate agreement requirements by April 14, 2003.
In addition, the final amendment contains model language that may be used in drafting business associate agreements. A covered entity is not, however, required to use the model language.
F. Marketing
Previous Requirement: A covered entity could use PHI for certain activities, not deemed “marketing,” as long as a patient consent had been obtained. Such activities included (1) face-to-face communications between the covered entity and the patient and (2) the mailing of information on health-related products or services to patients whom the covered entity has determined might benefit from the information.
Final Amendment: The activities that are not deemed “marketing” include:
(a) communications to plan enrollees to describe a health-related product or service that is included in a plan of benefits offered by a health plan (including provider directories) and health-related products or services available only to health plan enrollees (such as mail order pharmacy benefits);
(b) communications related to the treatment of a patient (such as appointment reminders, results of testing, etc.); or
(c) communications for case management or care coordination or to direct or recommend alternative treatments, therapies, providers or settings of care.
“Marketing” means any other communications about a product or service that encourage purchase or use of the product or service and any arrangement between a covered entity and a third party whereby the covered entity discloses PHI to the third party in exchange for direct or indirect remuneration so that the third party can communicate with patients (or plan enrollees) about its own product or service (and encourage purchase or use). For any activity that is marketing, the covered entity must obtain the advance written authorization of the patient, except if the communication is in the form of:
(1) a face-to-face communication; or
(2) a promotional gift of nominal value (e.g., pen, calendar).
There is no longer an ability to obtain authorization through opt-out mechanisms. There is no longer an exception for marketing activities conducted through general newsletters.
G. Research
Final Amendment: While research under HIPAA is a complex subject, the final amendment clarifies that covered entities may only use or disclose PHI for research under the following conditions: (1) the covered entity obtains patient authorization or an IRB or “privacy board” waiver of authorization; (2) the research is limited to reviews preparatory to research (e.g., to prepare a research protocol); (3) the research is limited to PHI of deceased individuals; or (4) the research involves only “de-identified” information or a “limited data set”.
Patient Authorization. A patient authorization (1) may be combined with the informed consent to participate in the research study; (2) may condition research-related treatment on the receipt of the authorization for use and disclosure of PHI for the research; and (3) need not list an expiration date or event as required for general patient authorizations. Although patients can revoke an authorization, a covered entity may continue to use and disclose PHI obtained prior to the revocation as necessary to maintain the integrity of the research.
IRB or Privacy Board Waiver. Before an IRB or privacy board can issue a waiver of authorization, the Board must first determine (1) that the waiver involves no more than a minimal risk to the privacy of the patients; (2) the research could not be practicably conducted without the waiver; and (3) the research could not be practicably conducted without access to the PHI.
Reviews Preparatory to Research. A covered entity may use or disclose PHI to prepare a research protocol if the entity obtains representations from the researcher that (1) use or disclosure of PHI is sought solely as necessary to prepare a research protocol or for other similar uses; (2) the researcher will not remove any PHI from the entity; and (3) the PHI is necessary for the research purposes. The covered entity should have a process to ensure that the researcher does not take any action that is inconsistent with these representations.
Decedent’s PHI. A covered entity may use or disclose a decedent’s PHI for research purposes if the entity obtains representations from the researcher that (1) use or disclosure is sought solely for research on the PHI of deceased patients; (2) the researcher can provide documentation of the death of such patients; and (3) the PHI is necessary for the research purposes. The covered entity should have a process to ensure that the above criteria are satisfied.
Limited Data Sets. A covered entity may use or disclose PHI that contains only indirect identifiers (e.g., zip codes, dates of service, age, etc) but is not completely de-identified. The covered entity must obtain a “data use agreement” in which the recipient agrees to use the information only for specified research purposes, to not further disclose the information and to not contact the individuals, among other requirements.
Transition Provisions. Researchers are permitted to use or disclose PHI that was created or received before April 14, 2003 if the researcher obtained, prior to April 14, 2003, (1) the informed consent of the individual to participate in the research, (2) an authorization or express legal permission to use or disclose PHI from the research, or (3) an IRB waiver of informed consent for the research. No new authorization or waiver is required for information created or obtained after April 14, 2003.
HIPAA QUESTIONS & ANSWERS
(Includes comments related to the new proposed amendments to the Privacy Rule)
Click here to see the OCR's technical assistance
guidance.
Notice, Consent and Authorization
1.Q:
If a physician’s first contact with a patient is in a hospital setting, must the physician obtain consent for use and disclosure of PHI before treatment? If yes, how is that accomplished?
2.Q: Can a friend or relative pick up the first filling of a prescription telephoned in by the attending physician, before any consent or authorization has been signed by the patient?
3.Q:
Is a signed authorization necessary to send office records when referring to another provider (e.g., physician or home health agency)?
4.Q: Must the practice obtain the authorization of a patient before faxing a patient list to the transcriptionist? Faxing PHI to another physician? Faxing PHI to the hospital?
5.Q: Must the practice obtain the authorization of a patient before releasing PHI to legal counsel or the insurance carrier regarding potential litigation?
6.Q: How are consent and authorization obtained by indirect providers like radiologists and pathology providers when working in hospitals? Is an anesthesiologist a direct or indirect provider?
7.Q: Because of the changes made by the Final Amendments, should a practice eliminate the consent portion of its patient intake forms and, rather, include a signature line for written acknowledgement of receipt of the Notice of Privacy Practices?
Physical Safeguards
8.Q: Do the office charts need to be locked up at night? What about the charts on the physicians’
desks?
9.Q: How do the Privacy and Security Rules affect how patient records are transferred from the main office to satellite offices? May staff or physicians travel with patient records?
10.Q: Does HIPAA affect how records are faxed or mailed after an appropriate authorization is obtained?
11.Q: Does HIPAA affect how the receptionist uses the computer at the front desk?
12.Q: If two physicians in the same practice share an office, must the physicians separately maintain the privacy of their dictations, notes and charts? If two physicians have an office sharing arrangement, must the physicians separately maintain the privacy of their charts?
13.Q: Does the HIPAA Privacy Rule apply to oral communications? If yes, what special precautions are necessary regarding oral communications with patients, both in person and on the telephone?
Covered Entities and Business Associates
14.Q: Must a plan sponsor, when sending enrollment information to the plan TPA, send the information as a standard transaction?
15.Q: Is a transcription service a business associate of a physician practice? If yes, does the practice need a business associate agreement with the transcription service provider?
16.Q: Is an outside physician consultant engaged by a health plan considered to be a business associate of the health plan? If yes, is a business associate agreement required?
Obligation to Mitigate Violations
17.Q: Does the practice have an obligation to disclose a violation of the HIPAA Privacy Rule to the subject patient?
Compliance Dates
18.Q: With respect to the EDI Rule, does the practice have to file for an extension of the compliance date if the practice is compliant but one or more payors is not compliant?
19.Q: Is October 16, 2003 the compliance date for the EDI Rule?
20.Q: What if a covered entity is not compliant by October 16, 2003?
21.Q: Do the proposed amendments to the Privacy Rule extend any of the deadlines for compliance with the Privacy Rule?
Notice, Consent and Authorization
1.Q: If a physician’s first contact with a patient is in a hospital setting, must the physician obtain consent for use and disclosure of PHI before treatment? If yes, how is that accomplished?
1.A: Generally, the Privacy Rule, as amended, allows a physician to use PHI for treatment, payment and routine healthcare operations without obtaining the patient’s written consent, provided that the physician uses best efforts to obtain the patient’s written acknowledgement that the patient has received the physician’s Notice of Privacy Practices. For the purposes of a short-term hospital consultation, the consultant need not give the patient a Notice of Privacy Practices and obtain an acknowledgement. However, if the consulting physician continues a direct treating relationship with the patient after release from the hospital, the consulting physician must provide the Notice and obtain written acknowledgement of receipt. The physician may also voluntarily obtain consent to use and disclosure of PHI.
top
2.Q: Can a friend or relative pick up the first filling of a prescription telephoned in by the attending physician, before any consent or authorization has been signed by the patient?
2.A: There are really two questions here. First, can the pharmacist fill the prescription, if he must use PHI to do so, without first obtaining the consent of the patient? Second, if the pharmacist can fill the prescription, can a relative pick up the prescription? With respect to the first question, the Privacy Rule, as amended, allows the pharmacist to fill the first prescription without the consent of the patient to use and disclosure of PHI. However, the pharmacist should provide a Notice of Privacy Practices to the patient upon the first visit of the patient to the pharmacy and obtain written acknowledgement of receipt.
As to the second question, a family member may pick up a prescription for the patient, without specific written authorization from the patient, as long as the pharmacist can make a reasonable inference that the family member is involved in the patient’s care (e.g., knows of the need for the specified prescription) and it would be in the patient’s best interest to allow the family member to pick up the prescription.
top
3.Q: Is a signed authorization necessary to send office records when referring to another provider (e.g., physician or home health agency)?
3.A: No, a signed authorization is not necessary to send office records to another provider. Referral to another provider is part of the treatment of the patient. If the Notice of Privacy Practices distributed by the referring provider describes this type of disclosure, the patient has been informed of this practice. The referring provider should obtain written acknowledgement that the patient has received the Notice of Privacy Practices.
4.Q: Must the practice obtain the authorization of a patient before faxing a patient list to the transcriptionist? Faxing PHI to another physician? Faxing PHI to the hospital?
4.A: No. Faxing a patient list to the transcriptionist is part of the routine healthcare operations of the practice. As stated in Q.3 above, as long as written acknowledgement of receipt of the Notice of Privacy Practices has been obtained, use for “treatment” allows use and disclosure of PHI to another physician. Depending on the purpose for which PHI is faxed to a hospital, the fax is likely to be a use or disclosure for treatment, payment or healthcare operations. The fact that faxing is used for transfer of PHI, rather than arguably a more secure form of transfer, is of no consequence as long as reasonable security precautions are observed.
top
5.Q: Must the practice obtain the authorization of a patient before releasing PHI to legal counsel or the insurance carrier regarding potential litigation?
5.A: No authorization is necessary to release PHI to the practice’s legal counsel or insurance carrier. This type of disclosure is within the category of routine healthcare operations. As stated in Q.3 above, as long as written acknowledgement of receipt of the Notice of Privacy Practices has been obtained, use and disclosure for this purpose is allowed.
top
6.Q: How are consent and authorization obtained by indirect providers like radiologists and pathology providers when working in hospitals? Is an anesthesiologist a direct or indirect provider?
6.A: IIndirect providers, i.e., those who do not have direct care relationship with a patient, are not required by the Privacy Rule to obtain consent to use and disclosure of PHI or to obtain written acknowledgement of receipt of the Notice of Privacy Practices. In most cases, any use or disclosure of PHI to or by these providers is covered by the consent or acknowledgement obtained by the direct treating providers. Thus, the pathologist who examines and reports findings about a tissue sample, or the radiologist who interprets an x-ray, but does not have any direct contact with the patient, does not need any further consent or acknowledgement from the patient to use and disclose PHI. On the other hand, if a radiologist performs interventional radiology (e.g., performs an IVP), the radiologist is no longer an indirect provider. The radiologist in this type of direct care relationship, as well as the anesthesiologist who has a direct care relationship with a patient, need to provide the patient a Notice of Privacy Practices and obtain a or written acknowledgement from the patient to use and disclose PHI. As a practical matter, the use and disclosure of PHI by these practitioners is usually covered by the Notice provided by the hospital or outpatient center in which the procedure or surgery is performed. It would be prudent for the interventional radiologist or the anesthesiologist to verify this.
7.Q: Because of the changes made by the Final Amendments, should a practice eliminate the consent portion of its patient intake forms and, rather, include a signature line for written acknowledgement of receipt of the Notice of Privacy Practices?
7.A: While the Final Amendments have eliminated the requirement of obtaining consent, they have not eliminated the need for a patient signature prior to use or disclosure of the patient’s PHI, i.e., there is still a need to obtain the patient’s written acknowledgement of receipt of the Notice. As long as the patient must sign forms anyway, it may be prudent to keep the consent provision in the patient intake forms because this provides good evidence of the patient’s affirmative approval of the practice’s use of PHI for treatment, payment and healthcare purposes.
top
Physical Safeguards
8.Q: Do the office charts need to be locked up at night? What about the charts on the physicians’ desks?
8.A: As a general rule, both the HIPAA Privacy Rule and the proposed Security Rule require a covered entity to implement physical safeguards necessary to ensure the privacy of PHI, whether in electronic or paper format. In either case, the practice should take reasonable steps to ensure that PHI is secure. These steps may include keeping medical charts, whether in the record room or in physicians’ offices, in secure desk/file drawers and locked rooms after hours and on the weekends to deter against unauthorized access.
9.Q: How do the Privacy and Security Rules affect how patient records are transferred from the main office to satellite offices? May staff or physicians travel with patient records?
9.A: The electronic transfer of medical records from a practice’s main office to a satellite office will ultimately be governed by the Security Rule. Under the proposed Security Rule, the practice must ensure the security of the patient records before, during, and after the records are transmitted electronically. The proposed Security Rule contains various requirements for transmission of PHI over internal and external networks, including, but not limited to: data authentication, access control, audit controls, and event reporting (e.g., documented user logs and reports of security breaches). A practice that regularly transmits medical records via electronic communications networks should consult a qualified technology vendor to determine the most appropriate method of complying with the Security Rule.
Neither the Privacy Rule nor the proposed Security Rule specifically address the physical transfer of medical records from a main office to a branch or satellite office. Although not required, it is certainly appropriate (and perhaps preferred, depending on the sensitivity of the health information) to have a staff member or physician accompany the medical records in transit. If sent by courier or mail, the records should be sealed and addressed to a specific recipient, with no patient-identifying information visible on the envelope. While the records are in the transit, the staff member or physician should ensure that the records are not left unattended in an unlocked car while stopping for gas, coffee, etc. and are not left on a seat where family members, or other passersby might peruse them. The records should be returned to the main office as promptly as possible.
top
10.Q: Does HIPAA affect how records are faxed or mailed after an appropriate authorization is obtained?
10.A: The HIPAA Privacy Rule and proposed Security Rule do not specifically address the use of facsimile machines to transmit protected health information, although faxes are a form of “electronic transmission” covered by the Security Rule. In practice, covered entities should implement whatever steps they believe are reasonably necessary to ensure the confidentiality and security of protected health information. The fax machine should be located in an area that is not frequented by patients and other visitors to the office. When faxing medical records, the following protections should be taken: (i) verify the intended recipient’s name and fax number; (ii) remove medical records from the fax machine as soon as the fax has been completed; (iii) confirm delivery to the proper addressee; and (iv) document the fax transmission in the patient’s medical record. If the transmission of medical records was for a purpose other than treatment, payment or routine healthcare operations, the transmission should be logged in a manner that will allow an accounting to the patient at a later date. Similar safeguards apply to the mailing of medical records.
11.Q: Does HIPAA affect how the receptionist uses the computer at the front desk?
11.Yes. The proposed Security Rule expressly requires a covered entity to have policies and guidelines on appropriate workstation use. At a minimum, these policies should address the proper physical attributes of the workstation site and appropriate access controls for workstation areas and terminals. The degree to which the HIPAA regulations will affect your entity’s current practices depends in large part on your existing privacy and security practices. For example, if your medical practice’s reception area could allow patients and other visitors to view PHI on computer screens or on documents present at the workstation, then your practice must make certain changes to comply with the HIPAA Privacy and Security regulations. These changes may include placing computer terminals and printers away from the front desk and/or reception areas, or locating these computer terminals in areas not easily visible to patients and other visitors.
top
12.Q: If two physicians in the same practice share an office, must the physicians separately maintain the privacy of their dictations, notes and charts? If two physicians have an office sharing arrangement, must the physicians separately maintain the privacy of their charts?
12.A: Yes, to both questions. Neither the Privacy Rule nor the proposed Security Rule specifically address office sharing. Yet, it is clear that each physician practice – as a separate “covered entity” – needs to take whatever steps are reasonably necessary to ensure the confidentiality and security of its patients’ protected health information. These steps include implementing proper record storage and access controls (e.g., segregated locked file cabinets and/or file rooms, with access restricted to approved personnel), appropriate technical security (limiting access to electronically-maintained information to those individuals with a genuine “need-to-know”), and appropriate staff training.
13.Q: Does the HIPAA Privacy Rule apply to oral communications? If yes, what special precautions are necessary regarding oral communications with patients, both in person and on the telephone?
13.A: Yes. The HIPAA Privacy Rule applies generally to individually identifiable health information whether oral or recorded in any form or medium. Although the HIPAA Privacy Rule expressly permits oral or written disclosures of protected health information to the patient, physicians and staff must use common sense when making such disclosures. For example, physicians and staff should not make calls to patients, engage in face-to-face discussions with patients or discuss patient matters in areas where such conversations can be overheard by other patients or visitors to the office. Likewise, physicians and staff should strongly reconsider the common practice of leaving telephone messages on patients’ answering machines or with individuals other than the patient.
top
Covered Entities and Business Associates
14.Q: Must a plan sponsor, when sending enrollment information to the plan
TPA, send the information as a standard transaction?
14.A: No. The standard transactions are required to be used only in transactions between covered entities. While the plan sponsor may be a covered entity in a self-insured arrangement, the TPA is not a covered entity but rather a business associate of the plan sponsor. Transactions between a covered entity and its business associate are not required to be in a standard format.
15.Q: Is a transcription service a business associate of a physician practice? If yes, does the practice need a business associate agreement with the transcription service provider?
15.A: Yes, to both questions. Under the Privacy Rule, a business associate is generally defined as an entity that performs a function or activity involving PHI on behalf of a covered entity. The practice, as a health care provider, is a covered entity, and the transcription service transcribes PHI on behalf of the practice. Thus, a transcription service is a business associate. The Privacy Rule requires a covered entity to enter into a business associate agreement with all of its business associates. Therefore, the practice must enter into a business associate agreement with a transcription service.
16.Q: Is an outside physician consultant engaged by a health plan considered to be a business associate of the health plan? If yes, is a business associate agreement required?
16.A: Yes, to both questions. Under the Privacy Rule, a business associate is generally defined as an entity that performs a function or activity involving PHI on behalf of a covered entity. A health plan is a covered entity. Assuming the physician consultant is performing a medical management or professional review function using member medical records on behalf of the health plan, the physician consultant is a business associate of the health plan. The Privacy Rule requires a covered entity to enter into a business associate contract with all business associates. Thus, the health plan must enter into a business consultant agreement with the physician consultant.
top
Obligation to Mitigate Violations
17.Q: Does the practice have an obligation to disclose a violation of the HIPAA Privacy Rule to the subject patient?
17.A: A covered entity has a duty under the Privacy Rule to mitigate, to the extent practicable, any harmful effect that is known to the covered entity as a result of the use or disclosure of PHI in violation of the Rule. There is no express requirement that the patient be notified at the time of the unlawful use or disclosure as part of the mitigation. However, an unlawful use or disclosure will come to light if and when a patient requests an accounting of all disclosures for purposes other than treatment, payment or routine health care operations. Because any unlawful use or disclosure falls outs outside of use, payment or routine operations, a record of an unlawful use or disclosure should be recorded and maintained. We suspect that a patient is likely to be more understanding if the practice is forthcoming about the violation and its mitigation at the time it happens, rather than waiting until the patient brings the unauthorized use and disclosure to the attention of the practice at the time of the accounting.
Compliance Dates
18.Q: With respect to the EDI Rule, does the practice have to file for an extension of the compliance date if the practice is compliant but one or more payors is not compliant?
18.A: No. The payor is a covered entity in its own right. The practice has no responsibility for the compliance of another covered entity. Nor should the practice incur any liability by reason of not using a standard format for a transaction with a non-compliant payor.
top
19.
Q: Is October 16, 2003 the compliance date for the EDI Rule?
19. A: The EDI Rule became effective on October 16, 2000. The Rule originally required all covered entities to comply with its requirements by October 16, 2002. In December 2001, Congress extended the deadline to October 16,
2003 for any covered entity that filed a request for extension and plan of compliance by October 16, 2002. Therefore, any covered entity that filled an extension has until October 16, 2003 to comply with the EDI Rule.
20.
Q: What if a covered entity is not compliant by October 16, 2003?
20. A: The deadline for compliance remains October 16, 2003. However, the DHHS has heard a number of concerns about the state of readiness of the healthcare industry. The DHHS has outlined its enforcement approach in new guidance available at:
http://cms.hhs.gov/hipaa/hipaa2/guidance-final.pdf. Briefly, the DHHS will focus on voluntary compliance and a complaint-driven approach to enforcement. If a complaint is filed against a covered entity, the DHHS will give the covered entity an opportunity to demonstrate compliance, document its good faith efforts to comply and submit a corrective action plan. All of these steps are described in detail in the guidance.
21.Q:
Do the proposed amendments
to the Privacy Rule extend any of the deadlines for compliance
with the Privacy Rule?
21.A: The Privacy Rule, as amended, extends the deadline for the execution of business associate agreements under certain conditions. If an existing agreement is not modified or renewed at any time before April 14, 2003, it will be deemed compliant with the Privacy Rule until April 14, 2004. If an existing agreement with a business associate is modified or renewed on or before April 14, 2003, it must be compliant by April 14, 2003. If an existing agreement with a business associate is renewed or modified at any time after April 14, 2003, it must be compliant on the earlier of the date of renewal/modification or April 14, 2004. Oral agreements must be compliant by April 14, 2003. Any new agreement with a business associate that is entered into prior to April 14, 2003 must be compliant by April 14, 2003.
top
|
