Guest Nini Posted February 16, 2006 Posted February 16, 2006 Can HIPAA privacy and security be incorporated in the plan/amendment by reference, or do the actual provisions have to be in the document? Thanks!
Guest boecar Posted February 16, 2006 Posted February 16, 2006 Most of the required plan amendments are listed in 45 CFR 164.504(f)(2). I have concluded that in order to comply with HIPAA's privacy rules, a self-insured group health plan must be amended to include all of the provisions required under this section. In my view, it would not be practical to attempt to incorporate all of these provisions by a reference to this section of the regulations. First, some of the provisions require a plan to establish specific rules in the plan document (e.g., "describe those employees . . . under the control of the plan sponsor to be given access to the [PHI]"). Second, it seems that one of HHS's goals in requiring that these provisions be incorporated in the plan is to make sure that plan administrators understand their responsibilities with respect to handling PHI -- a cryptic reference to a regulation would not accomplish this. That's my view.
Guest Nini Posted February 17, 2006 Posted February 17, 2006 Thanks for confirming my thoughts - someone is trying to convince me that it is okay to incorporate by reference, but cannot provide guidance. When you read the regs, they specifically state that the GHP should be amended to include the provisions. Thanks again.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now