What are the administrative requirements that covered entities need to have in place under HIPAA to protect the privacy of PHI?
There are certain administrative requirements that covered entities must enact in order to comply with the HIPAA Privacy Rule. A covered entity must implement written policies and procedures to comply with these administrative requirements that take into account its size and activities related to PHI.
Specific administrative requirements of a covered entity include:
Privacy Rule requires, until six years after the later of the date of their creation or last effective date.
A covered entity is prohibited from retaliating against any individual for exercising his or her rights under the Privacy Rule, and a covered entity cannot require an individual to waive his or her rights under the Privacy Rule as a condition of providing services.
Summary of the HIPAA Privacy Rule: Administrative Requirements - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2003). This site provides a summary of the HIPAA Privacy Rule.
Privacy Documents Relating to Administrative Requirements - Developed by the HIPAA Collaborative of Wisconsin (HIPAACOW) (2009). This site contains numerous documents related to various administrative requirements.
HIPAA Administrative Simplification - Developed by the Office for Civil Rights at the U.S. Department of Health and Human Services (2006). This document contains the regulation text.
E-mail the HealthIT e-mail box: email@example.com