Received this letter, which essentially just forwards Delta Dental's response. The letter contains this:
Delta is legally required to hold original records regarding communications and any actions or activities for six years from the date of creation. The law which stipulates this can be found in Title 45, Code of Federal Regulations, section 164.316(b)(2)((i)), which states that a covered entity must "retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later."
But this law only pertains to documentation that the insurance company is complying with standards, e.g. “those factors specified in 164.306(b)(2)(i), (ii), (iii), and (iv)”. Those are:
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
The section cited in the letter, which cites these four factors, is:
164.316 - Policies and procedures and documentation requirements.
A covered entity must, in accordance with 164.306: (a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
(b)(1) Standard: Documentation. (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) If an action, activity or assessment is required by this sub-part to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. [I, Clay Shentrup, note that there is nothing in here about storing my actual personal information.]
(2) Implementation specifications: (i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
My assessment is that:
- This law only requires documentation of compliance with certain specific security and privacy regulations, not documentation of all correspondence regarding every member.
- Even if it did require documentation of all correspondence pertaining to members, that could be as simple as a record like "Received patient's initial registration paperwork." That is, documentation of correspondence does not inherently mean documentation of the full contents of that correspondence. This law says absolutely nothing about documenting the full contents of anything.
No comments:
Post a Comment