NRPM: Standards for Privacy of Individually Identifiable Health Information. 6. Duty to mitigate. (§ 164.518(f))


We propose that covered entities be required to have procedures for mitigating, to the extent practicable, any deleterious effect of a use or disclosure of protected health information by their members of their workforce or business partners.

With respect to business partners, we also propose that covered entities have an affirmative duty to take reasonable steps in response to breaches of contract terms. For example, a covered entity that becomes aware that a business partner has improperly disclosed protected health information could require that business partner to take steps to retrieve the disclosed information. The covered entity also could require that business partner to adopt new practices to better assure that protected health information is appropriately handled. Covered entities generally would not be required to monitor the activities of their business partners, but would be required to take steps to address problems of which they become aware, and, where the breach is serious or repeated, would also be required to monitor the business partner’s performance to ensure that the wrongful behavior has been remedied. For example, the covered entity could require the business partner to submit reports or subject itself to audits to demonstrate compliance with the contract terms required by this rule. Termination of the arrangement would be required only if it becomes clear that a business partner cannot be relied upon to maintain the privacy of protected health information provided to it.

We expect that sanctions would be more formally described and consistently carried out in larger, more sophisticated entities. Smaller, less sophisticated entities would be given more latitude and flexibility. For such smaller entities and less sophisticated entities, we would not expect a prescribed sanctions policy, but would expect that actions be taken if repeated instances of violations occur.