Section 30: Record Keeping and Documentation

Section 30:  Record Keeping and Documentation

The Callier Center shall maintain records, either in written or electronic form, of its activities that are conducted in accordance with this Manual.

The Center will maintain accurate and complete documentation of Protected Health Information (PHI).

Designated Record Set to Be Maintained for Each Patient

A Designated Record Set of all PHI attributable to a Patient whose PHI is held by the Callier Center shall be separately maintained for each Patient. Psychotherapy Notes shall be maintained separately from the rest of the Individual’s medical record.

Contents of a Designated Record Set

In addition to any PHI held by the Callier Center, the following documents shall be included in the Designated Record Set:

a. Authorizations

Any valid Authorization signed by the Individual, in the event that the Callier Center may presently Use or Disclose the covered individual’s PHI is reliant on such Authorization. An Authorization that has expired, been revoked, or otherwise been determined to be invalid shall be removed from the Individual’s Designated Record Set.

b. Determination to Treat a Person as a Personal Representative

Documentation of any determination by the Privacy Officer to treat a person as the covered individual’s personal representative in accordance with this Manual. Such documentation shall be removed from the individual’s Designated Record Set in the event that the Privacy Officer determines that such person is no longer the Individual’s Personal Representative.

c. Restrictions on Uses and Disclosures

Any restriction on the Center’s Use or Disclosure of the Individual’s PHI to which the Individual has agreed. A restriction shall be removed from the Individual’s Designated Record Set in the event that it ceases to be effective.

d. Confidential Communications

Any request for confidential communications applicable to Disclosures of PHI to the Individual to which the Center has agreed, along with any other applicable documentation required by the Policy on such communications.

e. Data Use Agreements

Any Data Use Agreement to which the Center has agreed in order to receive a Limited Data Set. A Data Use Agreement shall be removed from the Individual’s Designated Record Set in the event that the Center no longer maintains the applicable Limited Data Set.

Compliance Records: Maintained for Patient

a. Accounted Disclosures of PHI

Disclosures of the Patients PHI with descriptions that must be documented for an Accounting Disclosure shall be retained at least until the date that is 6 years after the date on which the Disclosure occurred.

b. Suspension of Disclosure’s Inclusion in Accounting

Any statements by a Health Oversight Agency or law enforcement official that result in the suspension of inclusion in an accounting of disclosures of a Disclosure of the individual’s PHI. Such documentation shall be retained at least until the date that is 6 years after the expiration of the time period during which the applicable Disclosures would be excluded from any accountings requested.

c. Any Requests for a Patient’s Entire Medical Record

Such documentation shall be retained at least until the date that is 6 years after the date of the request.

d. Uses or Disclosures of Entire Medical Record

Such documentation shall be retained at least until the date that is 6 years after the date of the Use or Disclosure.

e. Determinations of Personal Representatives

Any determination regarding whether a person is the Individual’s personal representative. Such documentation shall be retained at least until the date that is 6 years after the later of the determination date or, if the Privacy Officer determines the person is no longer the Personal Representative, the date on which such determination ceases to be effective.

f. Authorizations

Any Authorization received for the Center’s Use or Disclosure of the individual’s PHI. Such documentation shall be retained at least until the date that is 6 years after the date on which the Authorization expires or is revoked.

g. Notification Disclosures

If the Privacy Officer approves a Notification Disclosure concerning the individual the reasons for the determination that such Notification Disclosure is permissible. Such documentation shall be retained at least until the date that is 6 years after the date of disclosure.

h. Dates of Provision of a Notice

A log of the dates on which an individual requests a copy of the notice of privacy practices and the dates on which s/he receives a copy. Documentation of each date shall be retained at least until the date that is 6 years after the date documented.

i. Requests for Access

All documents relating to a request for access shall be retained at least until the date that is 6 years after the date on which the last document attributable to the applicable request for access was created.

j. Requests for Amendment

The documents relating to a Patients request for amendment of the Designated Record Set. All such documents shall be retained at least until the date that is 6 years after the date on which the last document attributable to the applicable request for amendment was created.

k. Requests for Accounting

The documents relating to the Individual’s request for accounting. All such documents shall be retained at least until the date that is 6 years after the date the applicable accounting is provided.

l. Requests for Restriction on Use or Disclosure of PHI

The documents relating to the individual’s request for restriction. All such documents, if attributable to a granted request, shall be retained at least until the date that is 6 years after the date on which the respective restriction is no longer effective. All such documents, if attributable to a denied request, shall be retained at least until the date that is 6 years after the date of denial.

m. Requests for Confidential Communications

The documents described relating to an Individual’s request for confidential communications. All such documents, if attributable to a granted request, shall be retained at least until the date that is 6 years after the date on which the alternate communications are no longer in effect. All such documents, if attributable to a denied request, shall be retained at least until the date that is 6 years after the notification of denial.

n. Notification of Complaint Disposition

Any notification that is sent to a person regarding the disposition of a complaint made by that person. Such notification shall be retained at least until the date that is 6 years after the date on which it is given.

Compliance Records: General Files

a. Policies and Procedures

The current written policies and procedures set forth in this Manual and, any written policies and procedures that are no longer in effect. A superseded Section of the policies and procedures shall be retained at least until the date that is 6 years after the date it became superseded.

b. Notices of Privacy Practices

The Callier Center’s current version of the Notice of Privacy Practices and any former version that is no longer in effect. A former version shall be retained at least until the date that is 6 years after the date it was revised.

c. Business Associate Contract Provisions

The provisions of contracts with a Business Associate. Documentation of such contractual provisions shall be retained at least until the date that is 6 years after the date on which the provisions cease to be effective.

e. Data Use Agreements

Data Use Agreements shall be retained at least until the date that is 6 years after the date on which it ceases to be effective.

f. Designation of Privacy Officer

Documents identifying Callier Center’s Privacy Officer. Such documentation shall be retained at least until the date that is 6 years after the date on which the identified person or office ceases to be the Privacy Officer.

g. Disposition of Complaints

Documentation of a complaint received and its disposition. Such documentation shall be retained at least until the date that is 6 years after the date on which it is created.

h. Secretary Investigations

Any written communications with the Secretary regarding University’s privacy policies and procedures. Each such document shall be retained at least until the date that is 6 years after the date on which it was created.

i. Mitigation Effort

Documentation of the Center’s efforts to mitigate the harmful effects of a privacy violation. Such documentation shall be retained at least until the date that is 6 years after the date on which it is created.

j. Breach Notification Rule Compliance

All documents and records pertaining to any Breach requiring a notification, including samples of all notices provided to Individuals and all reports made to the Secretary.

Records Relating to Personnel

a. Privacy Training

Documentation of privacy training received by all Workforce members and any signed PHI confidentiality agreements. Such documentation shall be retained at least until the date that is 6 years after the person’s date of termination of employment or, if not an employee, any other involvement with the University as a Workforce Member.

b. Sanctions

Description of any sanctions considered against an employee or Workforce member in accordance with this Manual, whether or not imposed. Information that identifies the Individual whose privacy rights were violated shall be removed to the extent practicable. All such documents shall be retained at least until the date that is 6 years after the date on which they were created.

Revisions to this Manual

The Callier Center shall promptly revise the policies and procedures in this Manual as necessary and appropriate to comply with changes to the HIPAA Privacy Standards or any other applicable law. The Center may at any time make any revision to the policies and procedures set forth in this Manual, as desirable to improve confidentiality practices, that does not violate the HIPAA Privacy Standards or any other applicable law.

Effective Date of Changes to Privacy Policies and Procedures

a. The Center shall implement any change to these privacy policies and procedures as of the designated effective date of such change. A change’s effective date cannot occur until (i) the change has been incorporated into the particular policies and procedures in this Manual; and (ii) if the change affects the content of UT Dallas’ Notice of Privacy Practices, the notice has been revised to incorporate such change.

b. If a change to the Center’s privacy policies and procedures is required by law, University shall make a reasonable effort to implement such change by the compliance date of such law. To this end, the Center shall incorporate such change into the particular policies and procedures in this Manual.

Communication of Changes to the Callier Center Privacy Policies and Procedures

Following any material revision of the policies and procedures set forth in this Manual, the Center shall comply with any training obligation applicable under this Manual.

Documentation of Revisions to this Manual

Following a revision to any policies and procedures in this Manual, the Center shall retain a copy of the applicable pre-revision terms of the applicable policies and procedures, including the date on which such terms were superseded. Such documentation shall be retained in accordance with this Section.

HIPAA Regulatory Citations:  45 CFR § 164.316(b), § 164.310(d) Effective: 04/14/2003
Revised: 04/13/2013
Reviewed: 03/30/2021, 12/08/2015

Donise W. Pearson, HIPAA Privacy Officer
UT Dallas Callier Center