NRPM: Standards for Privacy of Individually Identifiable Health Information. h. Administrative requirements for covered entities.


We propose that covered entities be required to implement five basic administrative requirements to safeguard protected health information: designation of a privacy official, the provision of privacy training, establishment of safeguards, a complaint process, and establishment of sanctions. Implementation of these requirements would vary depending on a variety of different factors such as type of entity (e.g., provider or plan), size of entity (e.g., number of employees, number of patients), the level of automation within the entity (e.g., electronic medical records), and organization of the entity (e.g., existence of an office of information systems, affiliation with a medical school).

In proposed § 164.518(a), we would require covered plans and providers to designate a privacy official to be responsible for the development of policies for the use and disclosure of protected health information and for the supervision of personnel with respect to use and disclosure of protected health information. The designation of a privacy official would focus the responsibility for development of privacy policy.

The implementation of this requirement would depend on the size of the entity. For example, a small physician’s practice might designate the office manager as the privacy official, and he or she would assume this as one of his or her broader administrative responsibilities. A large entity might appoint an individual whose sole responsibility is privacy policy, and that individual could choose to convene a committee representing several different components of the entity to develop and implement privacy policy.

In proposed § 164.518(b), we would require covered entities to provide training on the their policies and procedures with respect to protected health information. Entities would determine the most effective means of communicating with their workforce. For example, in a small physician practice, the training requirement could be satisfied by providing each new member of the workforce with a copy of the practice’s information policies and requiring members of the workforce to acknowledge that they have reviewed the policies. A large health plan could provide for a training program with live instruction, video presentations or interactive software programs. The small physician practice’s solution would not protect the large plan’s data, and the plan’s solution would be neither economically feasible nor necessary for the small physician practice.

In proposed § 164.518(c), we would require covered entities to put in place administrative, technical, and physical safeguards to protect against any reasonably anticipated threats or hazards to the privacy of the information, and unauthorized uses or disclosures of the information.

In proposed § 164.518(d), we would require covered plans and providers to have some mechanism for receiving complaints from individuals regarding the covered plan’s or provider’s compliance with the requirements of this proposed rule. We considered requiring covered plans and providers to provide a formal internal appeal mechanism, but rejected that option as too costly and burdensome for some entities. We also considered eliminating this requirement entirely, but rejected that option because a complaint process would give covered plans or providers a way to learn about potential problems with privacy policies or practices, or training issues. We also hope that providing an avenue for covered plans or providers to address complaints would lead to increased consumer satisfaction. We believe this approach strikes a reasonable balance between allowing covered plans or providers flexibility and accomplishing the goal of promoting attention to improvement in privacy practices.

We expect that sanctions would be more formally described and consistently carried out in larger, more sophisticated entities. Smaller, less sophisticated entities would be given more latitude and flexibility. For such smaller entities and less sophisticated entities, we would not expect a prescribed sanctions policy, but would expect that actions be taken if repeated instances of violations occur. In proposed § 164.518(e), we would require all covered entities to develop and apply when appropriate sanctions for failure to comply with policies or procedures of the covered entity or with the requirements of this proposed rule.