Can HIPAA privacy and security be incorporated in the plan/amendment by reference, or do the actual provisions have to be in the document?

Thanks!

Most of the required plan amendments are listed in 45 CFR 164.504(f)(2). I have concluded that in order to comply with HIPAA's privacy rules, a self-insured group health plan must be amended to include all of the provisions required under this section. In my view, it would not be practical to attempt to incorporate all of these provisions by a reference to this section of the regulations. First, some of the provisions require a plan to establish specific rules in the plan document (e.g., "describe those employees . . . under the control of the plan sponsor to be given access to the [PHI]"). Second, it seems that one of HHS's goals in requiring that these provisions be incorporated in the plan is to make sure that plan administrators understand their responsibilities with respect to handling PHI -- a cryptic reference to a regulation would not accomplish this.

That's my view.

Thanks for confirming my thoughts - someone is trying to convince me that it is okay to incorporate by reference, but cannot provide guidance. When you read the regs, they specifically state that the GHP should be amended to include the provisions.

Thanks again.