HIPAA Policy Section 8.1: Cooperation With the Secretary’s Investigation
System shall cooperate with the Secretary in the event the Secretary initiates a complaint investigation or compliance review of System’s privacy policies, procedures, and practices.
8.1(1) Access to Records Held by System
- System shall permit the Secretary to access System’s facilities, books, records, accounts, and other sources of information (including PHI) if the Secretary requires such access during a complaint investigation or a compliance review in order to ascertain System’s compliance with the HIPAA Privacy Standards as permitted by applicable law.
- Such access shall be granted during normal business hours upon reasonable advance notice by the Secretary. However, System shall permit access by the Secretary at any time and without prior notice, to the extent permitted by law, if the Secretary informs System of its determination that exigent circumstances exist, such as when documents may be hidden or destroyed absent immediate access.
8.1(2) Access to Records Held by Another
- If the Secretary requires access to information during a complaint investigation or a compliance review in order to ascertain System’s compliance with the HIPAA Privacy Standards, and such information is in the exclusive possession of a person other than System, System shall take reasonable steps to obtain the information for the Secretary.
- If the person with possession of the information provides the information to System, System shall provide access to the Secretary in accordance with Subsection 8.1(1) of this Section. If the person fails or refuses to furnish the information, System shall provide to the Secretary a certification of such failure or refusal that sets forth the efforts made by System to obtain the information.
8.1(3) Maintenance of Records.
Upon the Secretary’s request, System shall retain any records in the manner, and containing the information, that the Secretary determines is necessary to ascertain whether System has complied or is complying with the HIPAA Privacy Standards.
8.1(4) Submission of Compliance Reports.
Upon the Secretary’s request, System shall submit a compliance report to the Secretary in a reasonable time and manner, containing the information that the Secretary determines is necessary to ascertain whether System has complied or is complying with the HIPAA Privacy Standards.
8.1(5) Documentation of Communications with the Secretary.
System shall document any written communications with the Secretary including compliance reports and certifications of failed efforts to obtain System records from another entity. Such documentation shall be retained in accordance with Section 9.2 of this Manual.
45 C.F.R. § 160.310
65 Fed. Reg. at 82,487, 82,602-05 (Dec. 28, 2000)