Proposed Standards for Privacy of Individually Identifiable Health Information. Administrative requirements and policy development and documentation


This proposed rule would require providers and payers to develop and implement basic administrative procedures to protect health information and the rights of individuals with respect to that information.

  • Covered entities would be required to maintain documentation of their policies and procedures for complying with the requirements of the proposed rule. The documentation must include a statement of the entity’s practices regarding who would have access to protected health information, how that information would be used within the entity, and when that information would or would not be disclosed to other entities.
  • Covered entities would be required to have in place administrative systems, appropriate to the nature and scope of their business, that enable them to protect health information in accordance with this rule. Specifically, covered entities would be required to:
    • designate a privacy official;
    • provide privacy training to members of its workforce;
    • implement safeguards to protect health information from intentional or accidental misuse;
    • provide a means for individuals to lodge complaints about the entity’s information practices, and maintain a record of any complaints; and
    • develop a system of sanctions for members of the workforce and business partners who violate the entity’s policies.