compliance reviews by DHHS (HIPAA)

Every covered entity must keep records regarding its compliance with HIPAA regulations. Such documentation would include:

• policies and procedures related to the collection, use or disclosure of protected health information;

• designations of organizations and persons with responsibilities for HIPAA compliance (e.g., the privacy officer, security officer);

• records of the handling of patient requests for health record access, amendment/correction,disclosure accounting, additional protections and confidential communications;

• records related to any internally-handled complaints.

Covered entities must permit access by DHHS "during normal business hours" to any information, including protected health information, relevant to determining compliance.

If an investigation pursuant to a general compliance review (or a specific individual complaint) indicates organizational violations, the Secretary must notify the institution (and any complainants) in writing.

The regulations direct the Secretary to "attempt to resolve [problems] by informal means whenever possible." If informal resolution is not possible, the Secretary must issue formal, written findings, which presumably would raise the possibility of further investigation, and legal or financial sanctions.

See also:

• 45 CFR 160.308, 45 CFR 160.312

  Last modified: 11-May-2005 [RC]