System shall engage in document retention efforts for the purpose of demonstrating past compliance, and to facilitate continued compliance, with the HIPAA Privacy Standards.
9.2(1) Overview of Privacy Documentation
System shall maintain records, either in written or electronic form, of its activities that are conducted in accordance with this Manual. The content, organization, and duration of such records are described in this Section 9.2.
9.2(2) Designated Record Set to Be Maintained for Each Covered Individual.
A Designated Record Set of all PHI attributable to a Member whose PHI is held by OEB shall be separately maintained for each individual. OEB does not hold Psychotherapy Notes. In the event that another office maintains Psychotherapy Notes attributable to an Individual as a Business Associate, the office shall maintained them separately from the rest of the Individual’s medical record.
9.2(3) Contents of a Designated Record Set
In addition to any PHI held by OEB on behalf of an Individual as a Designated Record Set, the following documents shall be included in the Designated Record Set:
- Authorizations: Any valid Authorization signed by the Individual, in the event that System may presently Use or Disclose the covered individual’s PHI in reliance on such Authorization. An Authorization that has expired, been revoked, or otherwise been determined to be invalid shall be removed from the Individual’s Designated Record Set.
- Determination to Treat a Person as a Personal Representative: Documentation of any determination by the Privacy Officer to treat a person as the covered individual’s personal representative in accordance Section 4.12 of this Manual. Such documentation shall be removed from the individual’s Designated Record Set in the event that the Privacy Officer determines that such person is no longer the Individual’s Personal Representative.
- Restrictions on Uses and Disclosures: Any restriction on Systems Use or Disclosure of the Individual’s PHI in accordance with Section 7.5 of this Manual to which the Individual has agreed. A restriction shall be removed from the Individual’s Designated Record Set in the event that it ceases to be effective.
- Confidential Communications: Any request for confidential communications applicable to Disclosures of PHI to the Individual in accordance with Section 7.6 of this Manual to which System has agreed, along with any other applicable documentation required by that section. A description of alternate communications shall be removed from the individual’s Designated Record Set in the event that it ceases to be effective.
- Data Use Agreements: Any Data Use Agreement to which System has agreed in order to receive a Limited Data Set, in accordance with Section 6.4 of this Manual. A Data Use Agreement shall be removed from the Individual’s Designated Record Set in the event that System no longer maintains the applicable Limited Data Set.
9.2(4) Compliance Records: Maintained for Each Covered Individual
For each Individual, System shall maintain the following applicable documents:
- Accounted Disclosures of PHI: Listed Disclosures of the Individual’s PHI with descriptions, in accordance with Section 4.14 of this Manual. Documentation of a Disclosure shall be retained at least until the date that is 6 years after the date on which the Disclosure occurred.
- Suspension of Disclosure’s Inclusion in Accounting: In accordance with Section 7.4 of this Manual, any statements by a Health Oversight Agency or law enforcement official that result in the suspension of inclusion in an accounting of disclosures of a Disclosure of the individual’s PHI. Such documentation shall be retained at least until the date that is 6 years after the expiration of the time period during which the applicable Disclosures would be excluded from any accountings requested.
- Plan Requests for Entire Medical Record: In accordance with Section 4.1 of this Manual, the justification for any System request of the Individual’s entire medical record. Such documentation shall be retained at least until the date that is 6 years after the date of the request.
- Plan Uses or Disclosures of Entire Medical Record: In accordance with of Policy 4 of this Manual, the justification for a Use or Disclosure of the individual’s entire medical record. Such documentation shall be retained at least until the date that is 6 years after the date of the Use or Disclosure.
- Determinations of Personal Representatives: In accordance with Section 4.12 of this Manual, any determination regarding whether a person is the individual’s personal representative. Such documentation shall be retained at least until the date that is 6 years after the later of the determination date or, if the Privacy Officer determines the person is no longer the Personal Representative, the date on which such determination ceases to be effective.
- Authorizations: In accordance with Section 4.11 of this Manual, any Authorization received for System’s Use or Disclosure of the individual’s PHI. Such documentation shall be retained at least until the date that is 6 years after the date on which the Authorization expires or is revoked.
- Notification Disclosures: If the Privacy Officer approves a Notification Disclosure concerning the individual (in accordance with Section 4.7 of this Manual), the reasons for the determination that such Notification Disclosure is permissible. Such documentation shall be retained at least until the date that is 6 years after the date of disclosure.
- Dates of Provision of a Notice: In accordance with of Section 7.1 of this Manual, a log of the dates on which the Individual requests a copy of the notice of privacy practices and the dates on which s/he receives a copy. Documentation of each date shall be retained at least until the date that is 6 years after the date documented.
- Requests for Access: The documents described in Section 7.2 of this Manual relating to the individual’s request for access. All such documents shall be retained at least until the date that is 6 years after the date on which the last document attributable to the applicable request for access was created.
- Requests for Amendment: The documents described in Section 7.3 of this Manual relating to the Individual’s request for amendment. All such documents shall be retained at least until the date that is 6 years after the date on which the last document attributable to the applicable request for amendment was created.
- Requests for Accounting: The documents described in Section 7.4 of this Manual relating to the Individual’s request for accounting. All such documents shall be retained at least until the date that is 6 years after the date the applicable accounting is provided.
- Requests for Restriction on Use or Disclosure of PHI: The documents described in Section 7.5 of this Manual relating to the individual’s request for restriction. All such documents, if attributable to a granted request, shall be retained at least until the date that is 6 years after the date on which the respective restriction is no longer effective. All such documents, if attributable to a denied request, shall be retained at least until the date that is 6 years after the date of denial.
- Requests for Confidential Communications: The documents described in Section 7.6 of this Manual relating to an Individual’s request for confidential communications. All such documents, if attributable to a granted request, shall be retained at least until the date that is 6 years after the date on which the alternate communications are no longer in effect. All such documents, if attributable to a denied request, shall be retained at least until the date that is 6 years after the notification of denial.
- Notification of Complaint Disposition: In accordance with Section 7.7 of this Manual, any notification that is sent to an Individual regarding the disposition of the complaint. Such notification shall be retained at least until the date that is 6 years after the date on which it is given.
9.2(5) Compliance Records: General Files
System shall maintain the following general privacy files:
- Policies and Procedures: The current written policies and procedures set forth in this Manual and, in accordance with Section 9.1 of this Manual, any written policies and procedures that are no longer in effect. A superseded Section of the policies and procedures shall be retained at least until the date that is 6 years after the date it became superceded.
- Notices of Privacy Practices: System’s current version of the notice of privacy practices and, in accordance with Section 7.1 of this Manual, any former version that is no longer in effect. A former version shall be retained at least until the date that is 6 years after the date it was revised.
- Plan Sponsor Agreements and Plan Sponsor Certifications: In accordance with Policy 5 of this Manual, any written agreements and any Certification intended to permit Disclosure of PHI to System as a Plan Sponsor. Any such documentation shall be retained at least until the date that is 6 years after the date on which it ceases to be effective.
- Business Associate Contract Provisions: The provisions of contracts with a Business Associate that are intended to comply with Section 6.1 of this Manual. Documentation of such contractual provisions shall be retained at least until the date that is 6 years after the date on which the provisions cease to be effective.
- Data Use Agreements: Data use agreements that are intended to comply with Section 6.3 of this Manual. Any such agreement shall be retained at least until the date that is 6 years after the date on which it ceases to be effective.
- Designation of Privacy Officer: Documents identifying System’s Privacy Officer. Such documentation shall be retained at least until the date that is 6 years after the date on which the identified person or office ceases to be the Privacy Officer.
- Disposition of Complaints: In accordance with Section 7.7 of this Manual, documentation of a complaint received and its disposition. Such documentation shall be retained at least until the date that is 6 years after the date on which it is created.
- Secretary Investigations: In accordance with Section 8.1 of this Manual, any written communications with the Secretary regarding System’s privacy policies and procedures. Each such document shall be retained at least until the date that is 6 years after the date on which it was created.
- Mitigation Efforts: In accordance with Section 8.4 of this Manual, documentation of System’s efforts to mitigate the harmful effects of a privacy violation. Such documentation shall be retained at least until the date that is 6 years after the date on which it is created.
- In accordance with Section 3 of this Manual, all System documents and records pertaining to any Breach, including samples of all notices provided to Individuals and all reports made to the Secretary.
9.2(6) Records Relating to Personnel
- Privacy Training: In accordance with Section 8.2 of this Manual, documentation of privacy training received by all Workforce members and any signed PHI confidentiality agreements. Such documentation shall be retained at least until the date that is 6 years after the person’s date of termination of employment.
- Sanctions: Description of any sanctions considered against an employee or Workforce member in accordance with Section 8.5 of this Manual, whether or not imposed. Information that identifies the Individual whose privacy rights were violated shall be removed to the extent practicable. All such documents shall be retained at least until the date that is 6 years after the date on which they were created.
REFERENCES/CITATIONS
45 C.F.R. § 164.530(j).
65 Fed. Reg. at 82,563, 82,749-50 (Dec. 28, 2000)