Administrative Requirements
- A covered entity must develop written privacy policies and procedures that are consistent
with the Privacy Rule
- An entity must designate a Privacy Official and a contact person or contact office
responsible for developing policies and for receiving complaints and providing individuals
with information on the entity's privacy practices
- Must provide Workforce Training and Management to workforce members who include employees,
volunteers, trainees, and may also include other persons whose conduct is under the
direct control of the entity (whether or not they are paid). An entity must train
all workforce members on its privacy policies yearly.
- A covered entity must have and apply appropriate sanctions against workforce members
who violate its privacy practices or the Privacy Rule
- A covered entity must mitigate, to the extent practicable, any harmful effect it learns
was caused by use or disclosure of PHI by its workforce or its business associates
in violation of its privacy policies or the Privacy Rule
- An entity must maintain reasonable and appropriate administrative, technical and physical
safeguards to prevent intentional or unintentional use of PHI in violation of the
Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise
permitted or required use. For example safeguards might include:
- Shredding documents containing PHI (do not discard in the trash)
- Securing medical records with a lock and key or pass code
- Limiting access to PHI
- Escorting authorized personnel in areas that contain PHI
- Using a secure email and encrypting identifiable information
- A covered entity must have procedures for individuals to complain about its compliance
with its privacy policies and procedures and the Privacy Rule. The covered entity
must explain those procedures in its privacy practices notice. Among other things,
the covered entity must identify to whom individuals can submit complaints to at the
entity and advise that complaints also can be submitted to the SEcretary of Human
and Health Services. See Filing Complaints for more information.