NRPM: Standards for Privacy of Individually Identifiable Health Information. G. Administrative requirements. (§ 164.518)


In § 164.518, we are proposing general administrative requirements for covered entities. We would require all covered entities to designate a privacy official, train members of their workforce regarding privacy requirements, safeguard protected health information, and establish sanctions for members of the workforce who do not abide by the entity’s privacy policies and procedures. In addition, we are proposing that covered plans and providers be required to establish a means for individuals to complain to the covered plan or provider if they believe that their privacy rights have been violated. In the discussions of each proposed provision, we provide examples of how different kinds of covered entities could satisfy these requirements.