36-3806. Required policies
A health information organization must implement and enforce policies governing the privacy and security of individually identifiable health information and compliance with this chapter. These policies must:
1. Implement the individual rights prescribed in section 36-3802.
2. Address the individual's right to opt out of participating in the health information organization pursuant to section 36-3803.
3. Address the content and distribution of the notice of health information practices prescribed in section 36-3804.
4. Implement the restrictions on disclosure of individually identifiable health information prescribed in section 36-3805.
5. Address security safeguards to protect individually identifiable health information, as required by the health insurance portability and accountability act security rule, 45 Code of Federal Regulations part 164, subpart C.
6. Prescribe the appointment and responsibilities of a person or persons who have responsibility for maintaining privacy and security procedures for the health information organization.
7. Require training of each employee and agent of the health information organization about the health information organization's policies, including the need to maintain the privacy and security of individually identifiable health information and the penalties provided for the unauthorized access, release, transfer, use or disclosure of individually identifiable health information. The health information organization must provide this training before an employee or agent may have access to individually identifiable health information available to the health information organization, and twice a year for all employees and agents.
Section: Previous 36-3716 36-3717 36-3801 36-3802 36-3803 36-3804 36-3805 36-3806 36-3807 36-3808 36-3809 36-3901 36-3902 36-3903 36-3904 NextLast modified: October 13, 2016