Industries & Practices

Health Care Industry


    HIPAA Regulations: The Administrative Requirements: Documentation - § 164.530(j)

    As Contained in the HHS HIPAA Rules


    HHS Regulations
    The Administrative Requirements: Documentation - § 164.530(j)


    1. Standard: documentation. A covered entity must:

      1. Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form;

      2. If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and

      3. If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation.

      4. Maintain documentation sufficient to meet its burden of proof under §164.414(b).

    2. Implementation specification: retention period. A covered entity must retain the documentation required by paragraph (j)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.


    HHS Description
    The Administrative Requirements: Documentation


    Note that the HHS description for "Documentation" is the same as that for "Policies and Procedures."

    In § 164.520 of the NPRM, we proposed to require covered entities to develop and document their policies and procedures for implementing the requirements of the rule. In the final regulation we retain this approach, but specify which standards must be documented in each of the relevant sections. In this section, we state the general administrative requirements applicable to all policies and procedures required throughout the regulation.

    In § 164.530(i), (j), and (k) of the final rule, we amend the NPRM language in several respects. In § 164.530(i) we require that the policies and procedures be reasonably designed to comply with the standards, implementation specifications, and other requirements of the relevant part of the regulation, taking into account the size of the covered entity and the nature of the activities undertaken by the covered entity that relate to protected health information. However, we clarify that the requirements that policies and procedures be reasonably designed may not be interpreted to permit or excuse any action that violates the privacy regulation. Where the covered entity has stated in its notice that it reserves the right to change information practices, we allow the new practice to apply to information created or collected prior to the effective date of the new practice and establish requirements for making this change. We also establish the conditions for making changes if the covered entity has not reserved the right to change its practices.

    We require covered entities to modify in a prompt manner their policies and procedures to comply with changes in relevant law and, where the change also affects the practices stated in the notice, to change the notice. We make clear that nothing in our requirements regarding changes to policies and procedures or changes to the notice may be used by a covered entity to excuse a failure to comply with applicable law.

    In § 164.530(j), we require that the policies and procedures required throughout the regulation be maintained in writing, and that any other communication, action, activity, or designation that must be documented under this regulation be documented in writing. We note that “writing” includes electronic storage; paper records are not required. We also note that, if a covered entity is required to document the title of a person, we mean the job title or similar description of the relevant position or office.

    We require covered entities to retain any documentation required under this rule for at least six years (the statute of limitations period for the civil penalties) from the date of the creation of the documentation, or the date when the document was last in effect, which ever is later. This generalizes the NPRM provision to cover all documentation required under the rule. The language on “last was in effect” is a change from the NPRM which was worded “unless a longer period applies under this subpart.”

    This approach is consistent with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations, and the National Committee for Quality Assurance, in its paper “Protecting Personal Health Information; A framework for Meeting the Challenges in a Managed Care Environment.” This paper notes that “MCOs [Managed Care Organizations] should have clearly defined policies and procedures for dealing with confidentiality issues.” (p. 29).


    HHS Response to Comments Received
    The Administrative Requirements: Documentation


    Note that the HHS response to comments received for "Documentation" is the same as that for "Policies and Procedures."

    Comments: Many of the comments to this provision addressed the costs and complexity of the regulation as a whole, not the additional costs of documenting policies and procedures per se. Some did, either implicitly or explicitly, object to the need to develop and document policies and procedures as creating excessive administrative burden. Many of these commenters also asserted that there is a contradiction between the administrative burden of this provision and one of the statutory purposes of this section of the HIPAA to reduce costs through administrative simplification. Suggested alternatives were generally reliance on existing regulations and ethical standards, or on current business practices.

    Response: A specific discussion of cost and burden is found in the Regulatory Impact Analysis of this final rule.

    We do not believe there is a contradiction between the administrative costs of this provision and of the goal of administrative simplification. In the Administrative Simplification provisions of the HIPAA, Congress combined a mandate to facilitate the efficiencies and cost savings for the health care industry that the increasing use of electronic technology affords, with a mandate to improve privacy and confidentiality protections. Congress recognized, and we agree, that the benefits of electronic commerce can also cause increased vulnerability to inappropriate access and use of medical information, and so must be balanced with increased privacy protections. By including the mandate for privacy standards in section 264 of the HIPAA, Congress determined that existing regulations and ethical standards, and current business practices were insufficient to provide the necessary protections.

    Congress mandated that the total benefits associated with administrative simplification must outweigh its costs, including the costs of implementing the privacy regulation. We are well within this mandate.

    Comments: Several commenters suggested that the documentation requirements not be established as a standard under the regulation, because standards are subject to penalties. They recommend we delete the documentation standards and instead provide specific guidance and technical assistance. Several commenters objected to the suggestion in the NPRM that professional associations assist their members by developing appropriate policies for their membership. Several commentators representing professional associations believed this to be an onerous and costly burden for the associations, and suggested instead that we develop specific models which might require only minor modification. Some of these same associations were also concerned about liability issues in developing such guidelines. One commenter argued that sample forms, procedures, and policies should be provided as part of the Final Rule, so that practitioners would not be overburdened in meeting the demands of the regulations. They urged us to apply this provision only to larger entities.

    Response: The purpose of requiring covered entities to develop policies and procedures for implementing this regulation is to ensure that important decisions affecting individuals' rights and privacy interests are made thoughtfully, not on an ad hoc basis. The purpose of requiring covered entities to maintain written documentation of these policies is to facilitate workforce training, and to facilitate creation of the required notice of information practices. We further believe that requiring written documentation of key decisions about privacy will enhance accountability, both within the covered entity and to the Department, for compliance with this regulation.

    We do not include more specific guidance on the content of the required policies and procedures because of the vast difference in the size of covered entities and types of covered entities' businesses. We believe that covered entities should have the flexibility to design the policies and procedures best suited to their business and information practices. We do not exempt smaller entities, because the privacy of their patients is no less important than the privacy of individuals who seek care from large providers. Rather, to address this concern we ensure that the requirements of the rule are flexible so that smaller covered entities need not follow detailed rules that might be appropriate for larger entities with complex information systems.

    We understand that smaller covered entities may require some assistance, and intend to provide such technical assistance after publication of this rule. We hope to work with professional associations and other groups that target classes of providers, plans and patients, in developing specialized material for these groups. Our discussions with several such organizations indicate their intent to work on various aspects of model documentation, including forms. Because the associations' comments regarding concerns about liability did not provide sufficient details, we cannot address them here.

    Comment: Many commenters discussed the need for a recognition of scalability of the policies and procedures of an entity based on size, capabilities, and needs of the participants. It was noted that the actual language of the draft regulations under § 164.520 did not address scalability, and suggested that some scalability standard be formally incorporated into the regulatory language and not rely solely on the NPRM introductory commentary.

    Response: In § 164.530(i)(1) of the final rule, we specify that we require covered entities to implement policies and procedures that take into account the size of the covered entity and the types of activities that relate to protected health information undertaken by the covered entity.

    Comment: One commenter objected to our proposal to allow covered entities to make uses or disclosures not permitted by their current notice if a compelling reason exists to make the use or disclosure and the entity documents the reasons and changes its policies within 30 days of the use or disclosure. The commenter argued that the subjective language of the regulation might give entities the ability to engage in post hoc justifications for violations of their own information practices and policies. The commenter suggested that there should be an objective standard for reviewing the covered entity's reasons before allowing the covered entity to amend its policies.

    Response: We eliminate this provision from the final rule. The final rule requires each covered entity to include in its notice of information practices a statement of all permitted uses under this rule, not just those in which the covered entity actually engages in at the time of that notice.

    Comment: Some commenters expressed concern that the required retention period in the NPRM applied to the retention of medical records.

    Response: The retention requirement of this regulation only applies to the documentation required by the rule, for example, keeping a record of accounting for disclosures or copies of policies and procedures. It does not apply to medical records.

    Comments: Comments on the six year retention period were mixed. Some commenters endorsed the six-year retention period for maintaining documentation. One of the comments stated this retention period would assist physicians legally. Other commenters believed that the retention period would be an undue burden. One commenter noted that most State Board of Pharmacy regulations require pharmacies to keep records for two years, so the six year retention period would triple document retention costs.

    Response: We established the retention period at six years because this is the statute of limitations for the civil monetary penalties. This rule does not apply to all pharmacy records, but only to the documentation required by this rule.