NRPM: Standards for Privacy of Individually Identifiable Health Information. § 164.522 Compliance and enforcement.


(a) Principles for achieving compliance.

(1) Cooperation. The Secretary will, to the extent practicable, seek the cooperation of covered entities in obtaining compliance with the requirements established under this subpart.

(2) Assistance. The Secretary may provide technical assistance to covered entities to help them comply voluntarily with this subpart.

(b) Individual complaints to the Secretary. An individual who believes that a covered entity is not complying with the requirements of this subpart may file a complaint with the Secretary, provided that, where the complaint relates to the alleged failure of a covered entity to amend or correct protected health information pursuant to § 164.516, the Secretary may determine whether the covered entity has followed procedures that comply with § 164.516, but will not determine whether the information involved is accurate, complete, or whether errors or omissions might have an adverse effect on the individual.

(1) Requirements for filing complaints. Complaints under this section must meet the following requirements:

(i) A complaint must be filed in writing, either on paper or electronically.

(ii) A complaint should name the entity that is the subject of the complaint and describe in detail the acts or omissions believed to be in violation of the requirements of this subpart.

(iii) The Secretary may prescribe additional requirements for the filing of complaints, as well as the place and manner of filing, by notice in the Federal Register.

(2) Investigation. The Secretary may investigate complaints filed under this section. Such investigation may include a review of the pertinent policies, practices, and procedures of the covered entity and of the circumstances regarding any alleged acts or omissions concerning compliance.

(c) Compliance reviews. The Secretary may conduct compliance reviews to determine whether covered entities are complying with this subpart.

(d) Responsibilities of covered entities.

(1) Provide records and compliance reports. A covered entity must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the covered entity has complied or is complying with the requirements of this subpart.

(2) Cooperate with periodic compliance reviews. The covered entity shall cooperate with the Secretary if the Secretary undertakes a review of the policies, procedures, and practices of a covered entity to determine whether it is complying with this subpart.

(3) Permit access to information. A covered entity must permit access by the Secretary during normal business hours to its books, records, accounts, and other sources of information, including protected health information, and its facilities, that are pertinent to ascertaining compliance with this subpart. Where any information required of a covered entity under this section is in the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails or refuses to furnish the information, the covered entity must so certify and set forth what efforts it has made to obtain the information. Protected health information obtained in connection with a compliance review or investigation under this subpart will not be disclosed by the Secretary, except where necessary to enable the Secretary to ascertain compliance with this subpart, in formal enforcement proceedings, or where otherwise required by law.

(4) Refrain from intimidating or retaliatory acts. A covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the filing of a complaint under this section, for testifying, assisting, participating in any manner in an investigation, compliance review, proceeding or hearing under this Act, or opposing any act or practice made unlawful by this subpart.

(e) Secretarial action regarding complaints and compliance reviews.

(1) Resolution where noncompliance is indicated.

(i) If an investigation pursuant to paragraph (b)(2) of this section or a compliance review pursuant to paragraph (c) of this section indicates a failure to comply, the Secretary will so inform the covered entity and, where the matter arose from a complaint, the individual, and resolve the matter by informal means whenever possible.

(ii) If the Secretary determines that the matter cannot be resolved by informal means, the Secretary may issue written findings documenting the non-compliance to the covered entity and, where the matter arose from a complaint, to the complainant. The Secretary may use such findings as a basis for initiating action under section 1176 of the Act or initiating a criminal referral under section 1177.

(2) Resolution where no violation is found. If an investigation or compliance review does not warrant action pursuant to paragraph (e)(1) of this section, the Secretary will so inform the covered entity and, where the matter arose from a complaint, the individual in writing.