NRPM: Standards for Privacy of Individually Identifiable Health Information. § 164.518 Administrative requirements.

11/03/1999

Except as otherwise provided, a covered entity must meet the requirements of this section.

(a) Designated privacy official: standard.

(1) Responsibilities of designated privacy official. A covered entity must designate a privacy official who is responsible for the development and implementation of the privacy policies and procedures of the entity.

(2) Contact person or office. A covered entity must designate a contact person or office who is responsible for receiving complaints under this section and who is able to provide further information about matters covered by the notice required by § 164.512. If a covered entity designates a contact person, it may designate the privacy official as the contact person.

(b) Training.

(1) Standard. All members of the covered entity’s workforce who, by virtue of their positions, are likely to obtain access to protected health information must receive training on the entity’s policies and procedures required by this subpart that are relevant to carrying out their function within the entity.

(2) Implementation specification. A covered entity must train all members of its workforce who, by virtue of their positions, are likely to obtain access to protected health information. Such training must meet the following requirements:

(i) The training must occur:

(A) For members of the covered entity’s workforce as of the date on which this subpart becomes applicable to such entity, by such date; and

(B) For persons joining the covered entity’s workforce after the date in paragraph (b)(2)(i)(A) of this section, within a reasonable period after the person joins the workforce.

(ii) The covered entity must require members of its workforce trained as required by this section to sign, upon completing training, a certification. The certification must state:

(A) The date of training; and

(B) That the person completing the training will honor all of the entity’s policies and procedures required by this subpart.

(iii) The covered entity must require members of its workforce trained as required by this section to sign, at least once every three years, a statement certifying that the person will honor all of the entity’s policies and procedures required by this subpart.

(iv) The covered entity must provide all members of its workforce with access to protected health information within the entity with further training, as relevant to their function within the entity, whenever the entity materially changes its privacy policies or procedures.

(c) Safeguards.

(1) Standard. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

(2) Implementation specification: verification procedures. A covered entity must have administrative, technical, and physical procedures in place to protect the privacy of protected health information. Such procedures must include adequate procedures for verification of the identity and/or authority, as required by this subpart, of persons requesting such information, where such identity or authority is not known to the entity, as follows:

(i) The covered entity must use procedures that are reasonably likely to establish that the individual or person making the request has the appropriate identity for the use or disclosure requested, except for uses and disclosures that are:

(A) Permitted by this subpart and made on a routine basis to persons or other entities with which the covered entity interacts in the normal course of business or otherwise known to the covered entity; or

(B) Covered by paragraphs (c)(2)(ii), (iii), or (iv) of this section.

(ii) When the request for information is made by a government agency under § 164.510 (b), § 164.510(c), § 164.510(e), § 164.510(f), § 164.510(g), § 164.510(m), § 164.510(n), or § 164.522, and the identity and/or authority are not known to the covered entity, the covered entity may not disclose such information without reasonable evidence of identity and/or authority to obtain the information.

(A) For purposes of this paragraph, “reasonable evidence of identity” means:

(1) A written request on the agency’s letterhead;

(2) Presentation of an agency identification badge or official credentials; or

(3) Similar proof of government status.

(B) For purposes of this paragraph, “reasonable evidence of authority” means:

(1) A written statement of the legal authority under which the information is requested; a request for disclosure made by official legal process issued by a grand jury or a judicial or administrative body is presumed to constitute reasonable legal authority; or

(2) Where the request is made orally, an oral statement of such authority.

(iii) When the request for information is made by a person or entity acting on behalf of a government agency under § 164.510(b), § 164.510(c), § 164.510(g), or § 164.510(n), and the identity and/or authority are not known to the covered entity, the covered entity may not disclose such information without reasonable evidence of identity and/or authority to obtain the information.

(A) For the purposes of this paragraph, “reasonable evidence of identity” means:

(1) A written statement from the government agency, on the agency’s letterhead, that the person or entity is acting under the agency’s authority; or

(2) Other evidence or documentation, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person or entity is acting on behalf of or under the agency’s authority.

(B) For the purposes of this paragraph, “reasonable evidence of authority” means a statement that complies with paragraph (c)(ii)(B) of this section.

(iv) For uses and disclosures under § 164.510(d), § 164.510(h), or § 164.510(j), compliance with the applicable requirements of those sections constitutes adequate verification under this section.

(v) (A) A covered entity may reasonably rely on evidence of identity and legal authority that meets the requirements of this paragraph.

(B) Where presentation of particular documentation or statements are required by this subpart as a condition of disclosure, a covered entity may reasonably rely on documentation or statements that on their face meet the applicable requirements.

(3) Implementation specification: other safeguards. A covered entity must have safeguards to ensure that information is not used in violation of the requirements of this subpart or by members of its workforce or components of the entity or employees and other persons associated with, or components of, its business partners who are not authorized to access the information.

(4) Implementation specification: disclosures by whistleblowers. A covered entity is not considered to have violated the requirements of this subpart where a member of its workforce or an employee or other person associated with a business partner discloses protected health information that such member or other person believes is evidence of a violation of law to:

(i) The law enforcement official or oversight agency authorized to enforce such law; or

(ii) An attorney, for the purpose of determining whether a violation of law has occurred or assessing what remedies or actions at law may be available to the employee.

(d) Complaints to the covered entity.

(1) Standard. A covered entity that is a health plan or health care provider must provide a process whereby individuals may make complaints concerning the entity’s compliance with the requirements established by this subpart.

(2) Implementation specifications. A covered entity that is a health plan or health care provider must develop and implement procedures under which an individual may file a complaint alleging that the covered entity failed to comply with one or more requirements of this subpart. Such procedures must provide for:

(i) The identification of the contact person or office required by paragraph (a)(2) of this section; and

(ii) Maintenance by the covered entity of a record of all complaints and their disposition, if any.

(e) Sanctions: standard. A covered entity must develop and apply when appropriate sanctions against members of its workforce who fail to comply with the policies and procedures of the covered entity or the requirements of this subpart in connection with protected health information held by the covered entity or its business partners.

(f) Duty to mitigate: standard. A covered entity must have procedures for mitigating, to the extent practicable, any deleterious effect of a use or disclosure of protected health information in violation of this subpart.