United States: Guide To The Disclosure Of Information Under The HIPAA Privacy Rule
Part 1 of 2

[Author’s Note: The following is the first of a two-part article focusing on issues in the disclosure of information under the HIPAA Privacy Rule. Part one discusses the history, purpose, and summary of the Privacy Rule; compliance deadlines and rule enforcement; applicability of the Privacy Rule; interaction of the Privacy Rule with other laws; and certain administrative requirements. Part two discusses the required notice of privacy practices; specific uses and disclosures of protected health information, with and without patient authorizations; and individual rights under the Privacy Rule.]

As reflected within the Act’s express terms, Congress created and passed the Health Insurance Portability and Accountability Act ("HIPAA") "to improve [the] portability and continuity of health insurance coverage in the group and individual markets ["Health Insurance Portability"], to combat waste, fraud, and abuse in health insurance and health care delivery ["Accountability"], [and] to simplify the administration of health insurance. ["Administrative Simplification"]." Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (1996).

Health Insurance Portability is the product of Title I of the Act, and generally attempts to provide individuals and groups various protections in the realm of insurance options. Among other things, Title I of the Act limits or eliminates some insurance exclusions available to insurers; provides guaranteed credits for past insurance that must be honored by insurers; and attempts to assure that insurance can be purchased through the prohibition of certain types of discrimination and through certain guarantees of coverage renewal. Notably, Title I does not regulate insurance costs or pricing. In fact, HIPAA is not designed to create or even encourage the availability of inexpensive health insurance; rather HIPAA attempts to make health insurance available to those capable of paying for coverage.

Accountability focuses on combating fraud, particularly as it regards insurance claims. Among other things, HIPAA broadens the definition of fraud, and increases the reward that whistleblowers are entitled to earn under the False Claims Act.

Finally, Administrative Simplification focused initially, and primarily, upon national standards for electronic health care transactions. In short, HIPAA mandates the use of specific electronic formats, coding schemes, and national identifiers, with the intention of ultimately improving the efficiency and cost effectiveness of the health care system through standardization of the interchange of health information.

As Congress attempted to standardize the interchange of health information, some began voicing concerns that advances in electronic technology could erode the privacy of health information. In response, Congress included, within HIPAA, provisions mandating the adoption of comprehensive federal privacy protections for individually identifiable health information¹. See Pub. L. No. 104-191, at § 264. Those standards, promulgated by the Department of Health and Human Services ("DHHS") and known generally as Standards for Privacy of Individually Identifiable Health Information or the HIPPA "Privacy Rule," can be found within the Code of Federal Regulations at 45 C.F.R., sections 160 and 164.

In response to HIPAA’s mandate, the DHHS published the first comprehensive federal standards for protecting the privacy of individually identifiable health information on December 28, 2000. After a period of public comment and modification, the DHHS adopted, on August 14, 2002, the final Privacy Rule. The Privacy Rule, as finally adopted, imposes upon covered entities national standards designed to protect and guard against the misuse of individually identifiable health information.

Among other things, implementation of the standards will require covered entities to establish appropriate administrative, technical, and physical safeguards for individually identifiable health information; to create new or modify substantially existing forms, policies, contracts, and other procedures; to review and modify or create new oversight responsibilities and positions; to conduct appropriate audits and training; and to provide patients greater access to their individually identifiable health information.

Notably, the Privacy Rule does not replace nor displace federal, state, or other law that would grant individuals greater privacy protection. See 45 C.F.R. § 160.203(b). See Pub. L. No. 104-191, at § 264(c)(2). Moreover, entities covered by the Privacy Rule may retain or adopt even more protective policies or practices.

Generally speaking, the Privacy Rule mandated compliance for most covered entities on or before April 14, 2003. 45 C.F.R. § 164.534(a-c). However, the Privacy Rule does permit an additional year for certain small health plans², and also imposes some other less immediate deadlines pertaining to interactions between covered and non-covered entities that involve individually identifiable health information. 45 C.F.R. § 164.534(b)(2); 164.532(e)(1-2).

The Privacy Rule provides two methods of possible enforcement by the DHHS: enforcement through complaints of private individuals; and enforcement through compliance review. As to the former, individuals have the right to file a complaint with the DHHS, if they believe that a covered entity has failed to comply with any provision of the Privacy Rule. 45 C.F.R. § 160.306(a). The procedures for the complaint process are generally modeled on those used by the DHHS’ Office for Civil Rights.

Specifically, the DHHS will require the complainant to identify the covered entity and the acts or omissions alleged to be violative of the Privacy Rule in a written complaint filed within one hundred eighty days of the date the alleged violation became known or should have become known to the complainant. 45 C.F.R. § 160.306(b)(1-3). Thereafter, the DHHS will investigate and, if a violation is found, attempt to resolve the complaint on an informal basis. 45 C.F.R. § 160.306(c); 160.312(a)(1-2). If, however, the DHHS cannot resolve the complaint, it may, when appropriate, turn the matter over to the Department of Justice for prosecution.

As to the latter method of enforcement, the DHHS may also conduct compliance reviews to determine whether a covered entity or its business associate is in compliance with the administrative and other requirements of the rule. 45 C.F.R. § 160.308. However, in 2002, the DHSS indicated that its initial method of enforcement would be only through complaints.

In any event, HIPAA grants the DHHS the authority to impose severe civil and criminal monetary penalties against covered entities. Specifically, HIPAA imposes civil penalties of $100 per violation, with an annual cap of $25,000 per year for all violations of a single requirement or prohibition. 42 U.S.C. § 1320d-5(a)(1). HIPAA also imposes criminal penalties of up to one year in prison and $50,000 for basic offenses; five years in prison and $100,000 for offenses committed under false pretenses; and ten years in prison and $250,000 for offenses committed with the intent to use individually identifiable health information for gain or harm. 42 U.S.C. § 1320d-6(a-b).

By its terms, HIPAA does not provide a private cause of action. However, most legal commentators believe that HIPAA’s Privacy Rule may provide a standard for which to pursue privacy actions under other federal and statute statutes or common laws.

Although HIPAA’s Privacy Rule is properly defined as nothing less than a series of comprehensive federal standards designed to protect the privacy of individually identifiable health information, one must also remember that the Privacy Rule is nothing more than a series of comprehensive federal standards designed to protect the privacy of individually identifiable health information. Stated differently, application of HIPAA’s Privacy Rule has limitations. More to the point, the Privacy Rule applies only to a set of specifically covered entities: health plans; health care clearinghouses; and health care providers that transmit Protected Health Information ("PHI") in an electronic form and as part of a HIPAA standard transaction. 42 U.S.C. 1320d-1(a)(1-3); 45 C.F.R. § 160.103. See also 54 C.F.R. 164.500.

Thus, any entity concerned with the applicability must ask of itself three questions:

• Is the entity a health plan, a health care clearinghouse, or a health care provider?
• Does the entity transmit PHI in an electronic format?
• Does the entity transmit PHI in connection with HIPAA standard transactions?

See 45 C.F.R. § 160.103. An entity need not comply with HIPAA’s privacy rule if, and only if, the response to one of these three questions is "no." See 45 C.F.R. 160.103, 160.500.

1. Who is a Health Care Provider?

A health care provider might be an individual, a group, or an organization. 42 U.S.C. § 1320d(3); 45 C.F.R. § 160.103.

In terms of an individual, any person licensed, certified, or otherwise authorized to perform medical services or provide medical care, equipment, or supplies in the normal course of business will be a health care provider for purposes of HIPAA. 42 U.S.C. § 1320d(3); 45 C.F.R. § 160.103. Examples of individual health care providers include physicians; nurses; physical therapists; dentists; and pharmacists.

Groups refer to entities composed of individuals. See 42 U.S.C. § 1320d(3); 45 C.F.R. § 160.103. For example, multiple physicians practice as a group when they collectively bill and receive payment for their services as a group.

Organizations, in contrast to a group, refer to non-human entities licensed, certified, or otherwise authorized to perform medical services or provide medical care, equipment, or supplies in the normal course of business. See 42 U.S.C. § 1320d(3); 45 C.F.R. § 160.103. Examples of organizations might include hospitals; nursing facilities; rehabilitation facilities; laboratories; ambulance companies; health maintenance organizations; medical equipment providers; and pharmacies.

2. Who is a Health Plan?

A health plan, simply stated, pays the cost of medical care, and may, in some circumstances, provide medical care. 42 U.S.C. § 1320d(5); 45 C.F.R. § 160.103. A health plan may be an individual plan or group plan³, or a combination of individual and/or group plans. 42 U.S.C. § 1320d(5)(A-M); 45 C.F.R. § 160.103. Examples of health plans include Medicare; Medicaid; Blue Cross; a health maintenance organization ("HMO"); multi-employer welfare benefit plans; and long-term care policies, excluding nursing home fixed-indemnity policies. Id.

3. Who is a Health Care Clearinghouse?

A health care clearinghouse is a public or private entity that processes or facilitates the processing of health care transactions. See 42 U.S.C. § 1320d(2); 45 C.F.R. § 160.103. Essentially, these entities receive health care transaction data from health care providers and other entities; translate the received transaction data from a given format into one acceptable to some intended recipient; and forward the processed transaction data to the intended recipient, usually health plans or other health care clearinghouses. Examples of health care clearinghouses include billing services; repricing companies; community health management information systems or community health information systems; and value-added networks.

4. Functional Approach to Covered Entities.

Recognizing that in today’s health care industry, the relationships among health care entities and non-health care entities are extremely varied and complex, HIPAA’s Privacy Rule adopts a functional approach that permits covered entities to segregate functions, and/or, to establish unified functions and procedures, depending upon the nature of the covered entity.

For example, a covered entity that qualifies as a hybrid entity may segregate portions of its organization such that the Privacy Rule will only apply to limited sections of its organization. HIPAA’s Privacy Rule defines a hybrid entity as a covered entity whose business activities include both covered and non-covered functions. 45 C.F.R. § 164.504(a)(1-2). One example of a covered entity that might seek treatment as a hybrid entity is a manufacturing firm with an on-site health clinic.

A covered entity might also wish to establish unified functions and procedures as part of an affiliated entity or as part of an organized health care arrangement ("OHCA"). Under HIPAA’s Privacy Rule, legally separate covered entities may designate themselves as a single affiliated covered entity if all of the covered entities are under common control or ownership. 45 C.F.R. § 164.504(d)(1-2). Common control exists if an entity has the power to significantly influence or direct the actions or policies of another entity; and common ownership exists if an entity or entities possess an ownership or equity interest of 5 percent or more of another entity. 45 C.F.R. § 164.504(a). An example of an affiliate entity might include a hospital chain.

An OCHA refers to a clinically integrated health care setting in which individuals typically receive care from more than one provider; an organized system of care in which multiple participating covered entities hold themselves out to the public as a joint arrangement, and participate in joint utilization reviews, joint quality assessments and improvements, or joint payment activities with shared financial risks; a group health plan and health insurance issuer or HMO with respect to such plan, but only relating to PHI of participants or beneficiaries of the plan; multiple group health plans maintained by the same plan sponsor; or multiple group health plans maintained by the same plan sponsor and health insurance issuers or HMOs with respect to such plans, but only relating to PHI of participants or beneficiaries of the plan. 45 C.F.R. § 164.501.

Generally speaking, HIPAA utilizes the common definitions of health information: oral or recorded information, in any format, relating to past, present, or future physical or mental health of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.⁴ 42 U.S.C. § 1320d(4)(A-B); 45 C.F.R. § 160.103. However, the HIPAA Privacy Rule does not limit the disclosure of all health information. 45 C.F.R. § 164.502(a). Rather, the HIPAA Privacy Rule regulates the disclosure of Protected Health Information or PHI. Id.

PHI means "individually identifiable health information."⁵ 42 U.S.C. § 1320d(6)(A-B); 45 C.F.R. § 164.501. In turn, individually identifiable health information is defined as that health information with respect to which there is some reasonable basis to believe that the information can be used to identify the individual. 42 U.S.C. § 1320d(6)(A-B); 45 C.F.R. §§ 160.103, 164.501. Notably, not all health information is PHI, because not all health information is individually identifiable health information. 45 C.F.R. § 164.514(a).

Moreover, even health information that might otherwise qualify as PHI may be de-identified by removing, coding, encrypting, or otherwise eliminating or concealing all individually identifiable health information.⁶ 45 C.F.R. § 164.514(b)(2)(i)(A-R). Such de-identified information will not be subject to HIPAA’s Privacy Rule. 45 C.F.R. 164.502(d)(2).

Under the Privacy Rule, PHI exchanged using any type of electronic, magnetic, or optical media, including Internet, Extranet, leased lines, dial-up lines, private networks, telephone voice response, or facsimile, will be deemed to have been electronically transmitted. 45 C.F.R. § 162.103. Moreover, once a health care provider transmits PHI electronically in connection with a HIPAA Standard Transaction, that health care provider, and all PHI (regardless of form or format) created or received by that health care provider, becomes subject to the Privacy Rule. See 42 U.S.C. 1320d-1(a)(1-3); 45 C.F.R. § 160.103. See also 54 C.F.R. 164.500.

Under HIPAA, a defined standard transaction includes, among other things, health care claims; encounter forms or information; health care payments and remittance advice; coordination of benefits information; health care claim status; enrollment and disenrollment information; eligibility for a health plan; referral certification and authorization; and health claims attachments. 45 C.F.R. § 160.103.

By limiting direct application of the Privacy Rule to health plans; health care clearinghouses; and health care providers that transmit PHI in an electronic form and as part of a HIPAA standard transaction, the Privacy Rule appears to create a gap in privacy protection. More to the point, the Privacy Rule does not directly regulate any number of other entities that might have cause or need to obtain PHI from a covered entity, such as their lawyers; accountants; administrators; actuarial services; or accreditation services. The privacy rule bridges this gap by requiring written agreements between the covered entity and its business associates requiring those business associates to maintain privacy. See 45 C.F.R. § 164.502(e)(1)(i). See also 45 C.F.R. § 164.504(e).

These aptly named business associate agreements are required regardless of whether there is an existing written contract between the covered entity and the business associate or only an oral agreement or understanding in place. See 45 C.F.R. § 164.504(e). See also 45 C.F.R. § 164.502(e)(1)(i).

Under the HIPAA Privacy Rule, a business associate is a person or entity that performs functions or activities on behalf of, or provides services to, a covered entity involving the use or disclosure of PHI.⁷ 45 C.F.R. § 160.103.

A member of the covered entity’s workforce⁸ is not a business associate. 45 C.F.R. § 160.103. However, a covered entity can be a business associate of another covered entity. Id.

A business associate agreement is also not required with respect to disclosures by a covered entity to a health care provider for treatment of the individual; or with respect to disclosures made by a group health plan to a plan sponsor, provided that the plan documents restrict the uses and disclosures of such information by the plan sponsor in a manner consistent with the Privacy Rule; the disclosures are made pursuant to a valid authorization; or the disclosures involve summary health information disclosed to a plan sponsor in response to a request to use the information for purposes of obtaining bides from health plans for providing coverage under a group health plan or modifying, amending, or terminating the group health plan.. 45 C.F.R. § 164.502(e)(ii)(A-B); 45 C.F.R. § 164.504(f)(i-ii).

Business associate functions or activities include claims processing or administration; data analysis; processing or administration; utilization review; quality assurance; billing; benefit management; and repricing. 45 C.F.R. § 160.103. Business associate services include legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. Id.

As a general rule, covered entities were required to enter into business associate agreements with their business associates on or before April 14, 2003. See 45 C.F.R. § 164.534. However, covered entities could obtain up to a one-year extension for compliance with the business associate provisions if, and only if, there was a written contract in existence between the covered entity and the business associate before October 15, 2002, and that written contract did not require modification or renewal before April 14, 2003. 45 C.F.R. § 164.532(e)(1)(i-ii). If the exception applies, covered entities and their business associate may continue to operate under the existing written agreement until April 14, 2004, or until the existing contract is due to be renewed or modified, whichever is sooner. 45 C.F.R. § 164.532(e)(2)(i-ii).

By its terms, the exception does not apply to business associates with which the covered entity only had an oral contract or understanding. See 45 C.F.R. § 164.532(e)(1)(i-ii).

Moreover, the exception would not apply to small health plans, which already have until April 14, 2004, to comply with the Privacy Rule. See 45 C.F.R. § 164.534(b)(2).

Pursuant to 45 C.F.R. section 164.504(e)(2), a covered entity’s written agreement with its business associate must:

• describe permitted and required uses and disclosures of PHI by the business associate (45 C.F.R. § 164.504(e)(2)(i));
• provide that the business associate will not use or disclose PHI except as permitted or required by contract or otherwise authorized by law (45 C.F.R. § 164.504(e)(2)(ii)(A));
• provide that the business associate will use appropriate safeguards to prevent unauthorized uses and disclosures of PHI (45 C.F.R. § 164.504(e)(2)(ii)(B));
• provide that the business associate will report unauthorized uses and disclosures to the covered entity (45 C.F.R. § 164.504(e)(2)(ii)(C));
• provide that the business associate will pass on the same privacy obligations to its subcontractors and/or agents (45 C.F.R. § 164.504(e)(2)(ii)(D));
• make PHI available for access and/or amendment by individuals vested with such rights under the Privacy Rule (45 C.F.R. § 164.504(e)(2)(ii)(E-F));
• make PHI available for accounting of uses and disclosures (45 C.F.R. § 164.504(e)(2)(ii)(G));
• make PHI available to the DHHS for purposes of determining the covered entity’s compliance with the Privacy Rule (45 C.F.R. § 164.504(e)(2)(ii)(H));
• require the return or destruction of PHI at the termination of the agreement, or offer some other ongoing protection for the PHI (45 C.F.R. § 164.504(e)(2)(ii)(I)); and
• authorize termination of the agreement by the covered entity upon material breach by the business associate (45 C.F.R. § 164.504(e)(2)(iii)).⁹

In addition, a covered entity’s written agreement with its business associate may also permit the business associate to use PHI, if necessary, for the proper management and administration of the business associate or to carry out the legal responsibilities of the business associate. 45 C.F.R. § 164.504(e)(4)(i)(A-B). The covered entity’s written agreement with its business associate may additionally permit the business associate to disclose PHI for proper management and administration of the business associate, or to carry out the legal responsibilities of the business associate, if, and only if, the disclosure is required by law, and the business associate obtains reasonable assurances from the other person to whom PHI is disclosed that the PHI will be held confidentiality and used or further disclosed only as required by law or for the purpose for which the PHI was used or disclosed the other person and that the other person will notify the business associate of any known breaches of such confidentiality. 45 C.F.R. § 164.504(e)(4)(ii)(A-B).

If the covered entity and the business associate are both governmental entities, a covered entity can comply with the requirements of the business agreement by entering into a memorandum of understanding covering the required terms; or if the business associate is subject to some other law that satisfies the objectives of the required terms. 45 C.F.R. § 164.504(e)(3)(i)(A-B).

Moreover, if a business associate is required by law to perform a function or activity or service on behalf of the covered entity, the covered entity may disclose PHI to the extent necessary to comply with the mandate, so long as the covered entity documents its attempts to obtain the enumerated assurance of the business associate and the reasons such assurances could not be obtained. 45 C.F.R. § 164.504(e)(3)(ii).

If the covered entity knows of a pattern or practice of material non-compliance by the business associate, and reasonable steps have not cured that non-compliance, the covered entity must either terminate the business associate contract, if feasible; or report the problem to the DHHS. 45 C.F.R. § 164.504(e)(1)(ii)(A-B).

In the Preamble to the Privacy Rule, the DHHS expressly recognized that a covered entity subject to the HIPAA Privacy Rule might also be subject to yet other federal laws that impact use and disclosure of PHI. Standards for Privacy of Individually Identifible Health Information, 65 Fed. Reg. 82461, 82482 (2000). Such laws may or may not compliment or coincide with HIPAA’s Privacy Rule. To alleviate to some degree the concerns of covered entities facing overlapping, and sometimes contradictory federal requirements, HHS offered, both in the Preamble to the Privacy Rule and in the final Privacy Rule, some general guidance.

First, a covered entity should, to the extent possible, attempt to comply with both laws. 65 Fed. Reg., at 82481. For example, if another federal law permitted the dissemination of PHI, and HIPAA’s Privacy Rule prohibits that same disclosure in the absence of a valid authorization, the covered entity might be able to comply with both by simply obtaining the HIPAA-required authorization. Id.

Second, if another federal law mandates disclosure of PHI in situations prohibited under the HIPAA Privacy Rule, the covered entity should follow the statute or regulation mandating disclosure. In such situation, the covered entity’s actions would not be violative of HIPAA’s Privacy Rule, because the Privacy Rule expressly permits the use or disclosure of PHI "as required by other law." 45 C.F.R. § 164.512(a)(1). See also 65 Fed. Reg., at 82481-82482.

Finally, if another federal law prohibits the dissemination of PHI that an individual would have a right of access to under the HIPPA Privacy Rule, the "earlier, more specific statute would apply." 65 Fed. Reg., at 82482.

Within the Preamble to the Privacy Rule, DHHS offers specific comments related to the potential interactions, be they complementary or contradictory in nature, of the HIPAA Privacy Rule with a number of federal laws, including the following:

• Privacy Act of 1974, codified at 5 U.S.C. section 552a;
• Freedom of Information Act, codified at 5 U.S.C. section 552;
• federal law relating to the confidentiality of substance abuse;
• Family Educational Rights and Privacy Act, codified at 20 U.S.C. section 1232g;
• Financial Services Modernization Act, or Gramm-Leach-Bliley Act,
• federal law relating to federally-funded health programs;
• Food, Drug, and Cosmetic Act, codified at 21 U.S.C. sections 301, et seq.;
• Clinical Laboratory Improvement Act, codified at 42 U.S.C. section 263a;
• federal laws barring discrimination on the basis of disability; and
• U.S. Safe Harbor Privacy Principles, as such relates to the European Union Directive on Data Protection.

65 Fed. Reg., at 82482-82487. Other federal laws that may interact with HIPAA’s Privacy Rule include the Family Medical Leave Act, codified at 29 U.S.C. section 2601, various occupational safety and health laws¹⁰; and various privacy protections secured by the United States Constitution.

As a general rule, HIPAA preempts state law provisions contrary to, or in conflict with, those of the HIPAA Privacy Rule. 45 C.F.R. § 160.203. HIPAA explicitly excludes from the general rule of federal preemption state privacy laws that are more stringent than the Privacy Rule; state laws that provide for the reporting of disease, injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention; state laws dealing with state oversight of health plans; and certain state laws that the DHHS determines should otherwise be exempted from the general rule of preemption. 45 C.F.R. § 160.203(a-d).

In order to ensure compliance with the HIPAA Privacy Rule and to protect the privacy of PHI, most covered entities are required to develop a privacy compliance program, implementation of which may very widely depending upon the size and nature of the entity. 45 C.F.R. § 164.530(i)(1).

Under HIPAA’s Privacy Rule, covered entities are required to designate a privacy official responsible for development and implementation of the covered entity’s policies and procedures; and a contact person or office responsible for receiving complaints and able to provide information relating to the covered entities notice of privacy practices. 45 C.F.R. § 164.530(a)(1)(i-ii). The privacy officer and contact person could be, but are not required to be, the same person.

Under HIPAA’s Privacy Rule, covered entities must train, and document the training of, all workforce members on policies and procedures relating to PHI to the extent those workforce members require PHI to perform their job functions. 45 C.F.R. § 164.530(1).

Under HIPAA’s Privacy Rule, covered entities must have in place appropriate administrative, technical, and physical safeguards to protect PHI from both intentional and unintentional unauthorized uses and disclosures. 45 C.F.R. § 164.530(c)(1).

Under HIPAA’s Privacy Rule, covered entities must provide a process for individuals to make complaints regarding the covered entity’s polices and procedures relating to privacy of PHI and the covered entity’s non-compliance with such policies and procedures. 45 C.F.R. § 164.530(d)(1). Notably, the Privacy Rule forbids a covered entity form requiring individuals to waive any right to file a complaint under its provisions as a condition of treatment, payment, or enrollment or eligibility for benefits. 45 C.F.R. § 164.530(h).

Under HIPAA’s Privacy Rule, covered entities must have, apply, and document application of appropriate sanctions against its workforce members who fail to comply with the covered entity’s privacy policies and procedures or the requirements of the HIPAA Privacy Rule. 45 C.F.R. § 164.530(e)(1-2).

Under HIPAA’s Privacy Rule, covered entities must mitigate, to the extent practicable, any harmful effects that are known to the covered entity of unauthorized uses or disclosures of PHI in violation of the covered entity’s policies or procedures or the HIPAA Privacy Rule. 45 C.F.R. § 164.530(f).

Under HIPAA’s Privacy Rule, covered entities may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising any right or participating in any process established by the Privacy Rule; for filing a complaint under the Privacy Rule; for testifying, assisting, or participating in any investigation, compliance review, or proceeding/hearing under the Privacy Rule; or for opposing any act or practice made unlawful under the Privacy Rule. 45 C.F.R. § 164.530(g)(1-2).

Under HIPAA’s Privacy Rule, covered entities must design, implement, and maintain polices and procedures in compliance with the Privacy Rule. 45 C.F.R. § 164.530(i)(1). The duty includes altering those policies and procedures as necessary and appropriate to comply with changes in the law and the Privacy Rule. 45 C.F.R. § 164.508(i)(2-3). HIPAA’s Privacy Rule permits flexibility in a covered entity’s performance of this duty based upon the size of the covered entity and the type of activities engaged in by the covered entity with respect to PHI. 45 C.F.R. § 164.530(i)(1).

Covered entities must maintain, for a period of six years, the required policies and procedures in written or electronic form, along with all written or electronic copies of all communications, actions, activities, or designations required to be documented under the Privacy Rue. 45 C.F.R. § 164.530(j)(1-2).