NRPM: Standards for Privacy of Individually Identifiable Health Information. f. Sanctions. (§164.518(f))


We propose in §164.518(f) that covered entities be required to have procedures for mitigating, to the extent practicable, any deleterious effect of a use or disclosure of protected health information by their members of their workforce or business partners. With respect to business partners, we also propose that covered entities have an affirmative duty to take reasonable steps in response to breaches of contract terms.