Privacy Policies and Procedures
Generally, HIPAA-covered entities must implement policies and procedures in connection with protected health information (PHI) that are designed to comply with HIPAA's privacy rule requirements. Covered entities are free to design their privacy policies and procedures as they see fit, so long as certain content requirements are met. Along those lines, the written policies and procedures requirement is intended to facilitate workforce training and creation of the covered entity's notice of privacy practices, to enhance accountability with the privacy rule and to help ensure consistency in decisions relating to individuals' privacy rights.
With respect to responsibility for drafting and implementing HIPAA policies and procedures, for both self-insured and fully insured plans, the plan sponsor (generally the employer) is responsible for the plan's compliance with the written policies and procedures requirement. However, a group health plan is not subject to the privacy policies and procedures requirement if the group health plan is fully insured and does not create or receive PHI except for summary health information and enrollment information. This is commonly referred to as a fully insured “hands-off” plan.
Before implementing HIPAA policies and procedures, a covered entity must designate a privacy official and a privacy contact person or office. The privacy official is responsible for the development and implementation of the entity's privacy policies and procedures. The privacy official may be an additional responsibility given to an existing employee or may be a newly created position. The privacy contact person or office is responsible for receiving complaints and providing additional information about the plan's privacy practices and procedures.
Once a privacy official has been designated, the official can proceed in developing and implementing the entity's privacy policies and procedures. Importantly, the policies and procedures must be written, and must include:
- A definition of PHI
- Permitted uses and disclosures of PHI
- Any authorization requirements for other uses and disclosures
- Sanctions for violations of the covered entity's policies and procedures
- Privacy safeguards
- Complaints procedures
- Prohibition of retaliation and waiver of right
- Record retention
- Data backup plan
- Disaster recovery plan
Importantly, the policies and procedures should be reasonably designed to ensure compliance with the privacy rule, taking into account the size of the covered entity and the types of activities relating to PHI that the covered entity undertakes.
Covered entities must also document and implement changes to policies and procedures as necessary or appropriate to comply with changes in the law and regulations. Importantly, covered entities must revise their policies and procedures, if they have not already, to reflect changes required under the Health Information Technology for Economic and Clinical Health Act (commonly known as the HITECH Act).
On Sept. 16, 2013, HHS issued a model Notice of Privacy Practices. This is welcome news for employer sponsors of group health plans. For over 10 years, HIPAA has required covered entities (including group health plans) to create and distribute a Notice of Privacy Practices communicating the entity’s policies and procedures related to privacy, use and disclosure of protected health information (PHI), safeguards to protect PHI, the entity’s responsibilities and the individual’s rights. This, however, is the first time that a model notice has been provided.
The model notice is provided in three different formats: a booklet style, layered notice and text-only version. A plan sponsor may use whichever best suits their needs. The language provided should be used as a baseline and customized to reflect the plan’s specific policies and contact information. Instructions for creating the plan’s notice are also provided.
Fully insured plans that are provided through an insurance contract and that do not maintain or receive PHI outside enrollment or summary health information (“hands-off” employer) are exempt from many of the HIPAA privacy requirements, including the Notice of Privacy Practices. The insurance carrier issuing the policy is responsible for creating and distributing the notice to participants, although such employers should be aware of the requirement and work closely with insurers to understand the privacy practices of the insurer.
Employer Action Required
Employers sponsoring group health plans will generally need to comply with the written privacy policies and procedures requirement. Employers should select a privacy official to design and implement the plan's privacy policies and procedures. The policies and procedures should reflect all of the required content, as outlined above.
That said, fully insured hands-off group health plans (i.e., fully insured plans that do not create or receive PHI other than summary health information and enrollment information) are not required to comply with the written privacy policies and procedures requirement.
Penalties for Nomcompliance
Covered entities that fail to properly implement HIPAA privacy policies and procedures may be subject to civil penalties from $100 to $50,000 per violation. In certain circumstances, criminal penalties may also apply, including a fine of up to $250,000 and imprisonment for up to 10 years.
Frequently Asked Questions
Q1. What is the difference between the Privacy Practices and Procedures requirement and the Notice of Privacy Practices requirement?
A. The two requirements serve different purposes and must meet different requirements. Although a covered entity's policies and procedures and its Notice of Privacy Practices somewhat overlap, the policies and procedures should contain a detailed description of all of the entity's privacy practices. In addition, the policies and procedures should provide guidance for the members of the covered entity's workforce who deal with PHI and have responsibility for privacy compliance. On the other hand, the Notice of Privacy Practices is meant to notify participants of the covered entity's practices.
Q2. Is there any difference in meeting the written privacy policies and procedures requirement for smaller versus larger employers?
A. While the requirements remain the same for all size employers, the U.S. Department of Health and Human Services has stated that covered entities that employ more individuals and are involved in a wider array of endeavors are likely to require more specific policies. In addition, the requirements of the policies and procedures rule are flexible so that smaller covered entities need not follow detailed rules that might be appropriate for larger entities with complex information systems. Because of the variance of policies and procedures between different size and types of covered entities, it is important to engage outside counsel in drafting the written privacy policies and procedures.
The above links are provided for your information only. NFP does not endorse, nor accept any responsibility for the content, products and/or services provided at non-NFP sites. Some information contained in the NFP site is provided by third parties. We do not independently verify this information, nor do we guarantee its accuracy or completeness. Information provided from governmental agencies is subject to change.
Page last reviewed or updated April 2014.