In our Recommendations, we call for a federal law that requires holders of identifiable health information to implement safeguards to protect it from inappropriate access, use or disclosure. No legislation or rule can effectively specify how to do this for every holder of health information. But federal rules can and should require those who hold identifiable health information to develop and implement basic administrative procedures to protect that information and protect the rights of the individual with respect to that information.
To accomplish this goal, we propose that covered entities be required to designate a privacy official, develop a privacy training program for employees, implement safeguards to protect health information from intentional or accidental misuse, provide some means for individuals to lodge complaints about the covered entity’s information practices, and develop a system of sanctions for employees and business partners who violate the entity’s policies or procedures. (See proposed § 164.518.). We also propose, in § 164.520, to require covered entities to maintain documentation of their policies and procedures for complying with the requirements of this proposed rule. The purpose of these requirements is to ensure that covered entities make explicit decisions about who would have access to protected health information, how that information would be used within the entity, and when that information would or would not be disclosed to other entities.