Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Duty To Mitigate


In proposed § 164.518(f), we would have required covered entities to have policies and procedures for mitigating, to the extent practicable, any deleterious effect of a use or disclosure of protected health information in violation of the requirements of this subpart. The NPRM preamble also included specific language applying this requirement to harm caused by members of the covered entity's workforce and business associates.

With respect to business associates, the NPRM preamble but not the NPRM rule text, stated that covered entities would have a duty to take reasonable steps in response to breaches of contract terms. Covered entities generally would not be required to monitor the activities of their business associates, but would be required to take steps to address problems of which they become aware, and, where the breach was serious or repeated, would also be required to monitor the business associate's performance to ensure that the wrongful behavior had been remedied. Termination of the arrangement would be required only if it became clear that a business associate could not be relied upon to maintain the privacy of protected health information provided to it.

In the final rule, we clarify this requirement by imposing a duty for covered entities to mitigate any harmful effect of a use or disclosure of protected health information that is known to the covered entity. We apply the duty to mitigate to a violation of the covered entity's policies and procedures, not just a violation of the requirements of the subpart. We resolve the ambiguities in the NPRM by imposing this duty on covered entities for harm caused by either members of their workforce or by their business associates.

We eliminate the language regarding potential breaches of business associate contracts from this section. All other requirements with respect to business associates are stated in § 164.504.