Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Designation of a Privacy Official and Contact Person


In § 164.518(a) of the NPRM, we proposed that covered entities be required to designate an individual as the covered entity's privacy official, responsible for the implementation and development of the entity's privacy policies and procedures. We also proposed that covered entities be required to designate a contact person to receive complaints about privacy and provide information about the matters covered by the entity's notice. We indicated that the contact person could be, but was not required to be, the person designated as the privacy official. We proposed to leave implementation details to the discretion of the covered entity. We expected implementation to vary widely depending on the size and nature of the covered entity, with small offices assigning this as an additional duty to an existing staff person, and large organizations creating a full-time privacy official. In proposed § 164.512, we also proposed to require the covered plan or provider's privacy notice to include the name of a contact person for privacy matters.

The final regulation retains the requirements for a privacy official and contact person as specified in the NPRM. These designations must be documented. The designation of privacy official and contact person positions within affiliated entities will depend on how the covered entity chooses to designate the covered entity(ies) under § 164.504(b). If a subsidiary is defined as a covered entity under this regulation, then a separate privacy official and contact person is required for that covered entity. If several subsidiaries are designated as a single covered entity, pursuant to § 164.504(b), then together they need have only a single privacy officer and contact person. If several covered entities share a notice for services provided on the same premises, pursuant to § 164.520(d), that notice need designate only one privacy official and contact person for the information collected under that notice.

These requirements are consistent with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations, and the National Committee for Quality Assurance, in its paper "Protecting Personal Health Information; A framework for Meeting the Challenges in a Managed Care Environment." This paper notes that "accountability is enhanced by having focal points who are responsible for assessing compliance with policies and procedures..." (p. 29)